Increasingly large number of 3rd party packages in platform/go.sum

[patmantru]

There are a very large number of 3rd party packages that are being referenced in the platform repo, based on the contents of the go.sum file. Each external reference introduces potential costs and risks, including license terms, potential code injection attack vectors, and version maintenance among other things. If possible, these references should be reduced to the bare minimum in order to cut these costs and risks.

Some of the references are fairly well-known (Microsoft, Docker, Google, etc), but others have less obvious reputations (dario.cat, cpuguy83, xeipuuv, fortytw2 as random examples) and should be reviewed somehow.

Even if these packages are solely used in test drivers, and will not appear in production code, the tests would presumably be running in a CI environment that would be producing the production code, and therefore could have direct access to the binaries that will be used for production.

Also, if only a small amount of functionality is being used from a large package, that could unnecessarily adversely affect the size and performance of the production code.

As of this writing (3/5/24) there are about 200 unique packages in the go.sum file.

[jrschumacher]

Good find @patmantru!

[patmantru]

This should not be auto-closed. Needs review and attention.

[patmantru]

Currently at 231:

platform % cat `find . -name go.sum` | awk '{print $1}' | sort | uniq | wc
     231     231    6632

[patmantru]

Up to 240:

platform % cat `find . -name go.sum` | awk '{print $1}' | sort | uniq | wc
     240     240    6946

reopening again