Avoid indirect dependency on `github.com/oleiade/[email protected]` to avoid breaking Dependabot for projects that use fosite

[cfryanr]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Cloud project.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

A recent PR updated fosite's direct dependency on github.com/oleiade/[email protected] to v1.0.1 (#587). This was to avoid the problem described in https://github.com/oleiade/reflections/issues/14 where the developer of that project changed the checksum of v1.0.0.

Unfortunately, the latest version of fosite still carries indirect dependencies on github.com/oleiade/[email protected]. This can be seen by starting a new Go project which contains only a go.mod file with the following contents and then running go mod graph | grep 'github.com/oleiade/[email protected]'.

module fositedeps

go 1.17

require (
	github.com/ory/fosite v0.41.0
)

Following the dependency graph from the go mod graph output indicates that the latest version of fosite indirectly depends on a very old version of fosite (v0.29.0) which directly depends on the broken reflections v1.0.0.

This indirect dependency is not a problem in terms of being able to compile and run a project which imports the latest fosite. The impact is felt when that project starts to use dependency scanning software like GitHub's Dependabot, which analyzes the project's go.sum file, gets an error about reflections v1.0.0's checksum, and then refuses to continue, effectively disabling Dependabot for the project. Dependabot will stop flagging project dependencies that have updates available or have known security vulnerabilities.

Describe your ideal solution

Ideally the simple test project described above would not have github.com/oleiade/[email protected] anywhere in its dependency graph, and would use v1.0.1 instead. Running go mod tidy for that project would not put reflections v1.0.0 anywhere in the go.sum file.

I think the dependency exists because old versions of ory/x directly depended on the old version of fosite. Newer versions of ory/x don't have that dependency. If all indirect dependencies on ory/x were updated to use newer versions of ory/x, then the indirect dependency on reflections v1.0.0 should go away.

Workarounds or alternatives

Our project added a replace directive to work around the problem. See https://github.com/vmware-tanzu/pinniped/blob/adf04d29f77fe54fa7bc3c7f9cf11f258303c13a/go.mod#L5-L18.

However, adding a replace directive is less than ideal because then any project which depends on our project would also need to know to add the same replace directive to avoid having a similar problem. It would be better if the replace directive were not needed.

Version

v0.41.0

Additional Context

Thanks for providing this great open source library!

[aeneasr]

Sorry! I missed the notification! Absolutely, please feel free to add a PR :)

[github-actions[bot]]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️