ghodss/yaml

๐Ÿšš New fork available at invopop/yaml

samlown opened this issue ยท 6 comments

I've been using this package extensively over the last few years as it makes working with YAML in Go much easier. YAML is great, but it's flexibility also makes it hard to work with sometimes in Go; converting first to JSON makes a ton of sense for most use-cases. I was quite sad to see the number of unresolved issues and felt that the latest security scare (CVE-2022-28948) was enough to warrant a fork, so I did:

https://github.com/invopop/yaml

Most of the issues I see are related to the fact that the library is still using yaml.v2, so our first step was to upgrade to yaml.v3: invopop/yaml#2. It was more complex than expected due to the change in handling of keys in maps, but it's working now.

We also maintain the jsonschema package so are quite used to the messy reflection stuff that needs to happen behind the scenes.

I do hope that the original maintainers don't mind, and I'd like to take this opportunity to thank them for all their work! I hope we can continue to maintain our fork effectively, and welcome any contributions.

I am testing it @samlown

@samlown your changes looks good to me!

/merge

So this post promotes a fork, but that fork didn't get any commit for 2 years, not even in the CI to extend the tested Go versions to the latest ones.

So that fork is also just as dead.

@dolmen yeah, not much time I'm afraid and if I miss any of the messages, which is likely, then its rare I swing by. We're using this project actively in https://github.com/invopop/gobl, so as an extension of that, we make sure it still does everything we need.

Let me know if there is something I've missed as an urgent fix, otherwise well tested PRs are always welcome!

There is another fork here (also forks go-yaml) that is supposed to be maintained by Kubernetes people: kubernetes-sigs/yaml