Prune unmaintained dependencies

[JPZ13]

Summary

Similar to #11053 that @isubasinghe reported, we have many dependencies in our go.mod file (and I assume more in the package.json) that are no longer being actively maintained. We should start culling these dependencies. It gets us the following advantages:

• Fewer attack vectors
• Less code to maintain
• Easier to modify behavior
• Less need to maintain forks of dependencies

---

Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.

[JPZ13]

Running list of unmaintained go packages in Argo Workflows dependencies:

• github.com/Knetic/govaluate: Fix {{..}} templating -- standardize on expr #9529, whenExpression: when using expr instead of govaluate #7831
• github.com/blushft/go-diagrams
• github.com/doublerebel/bellows
• github.com/gorilla/handlers: Prune unmaintained dependencies #11120 (comment)
• github.com/gorilla/websocket: Prune unmaintained dependencies #11120 (comment)
• github.com/robfig/cron
• github.com/sirupsen/logrus
• github.com/skratchdot/open-golang
• github.com/tidwall/gjson: Prune unmaintained dependencies #11120 (comment)
• github.com/valyala/fasttemplate: Remove github.com/valyala/fasttemplate dependency #7810
• github.com/xeipuuv/gojsonschema

[ryancurrah]

For logging, in Go 1.21 there will be a structured logger in the standard library.

Proposal: https://www.reddit.com/r/golang/comments/11sdqia/slog_proposal_accepted_for_go_121.

You can even use it now via golang.org/x/exp/slog.

We implemented a logging interface based off of https://github.com/go-logr/logr. And are able to switch to the new standard library logger without changing downstream modules use of our logging library.

[tidwall]

@JPZ13 Just out of curiosity what metric did you use to determine which packages are unmaintained?

[JPZ13]

@tidwall - eyeballed a few and then also used this: https://isitmaintained.com/

gjson was showing up as unmaintained, so I included it. Happy to scratch from the list if it's a false positive

[tidwall]

@JPZ13 Thanks for the info. I consider gjson a maintained project.

[tico24]

You can find EOL packages by using https://github.com/xeol-io/xeol. This can be added to CI with relative ease for ongoing reporting.

[terrytangyuan]

Gorilla projects should be back alive. gorilla/mux#707 (comment)

[jamietanna]

That's cool @tico24 - I've built a similar thing at https://dmd.tanna.dev using https://endoflife.date as well as community-sourced data!

[weafscast]

@agilgur5 wdyt about moving to https://github.com/casbin/govaluate for the meanwhile?

[weafscast]

Removing bellows -> #13591

[agilgur5]

@agilgur5 wdyt about moving to https://github.com/casbin/govaluate for the meanwhile?

I wouldn't think about it too much as we're going to remove it soon, c.f. #9529, #7831
Casbin having a fork is interesting, though it seems to introduce some new features too, and I'd rather we not to do that given govaluate is on the way out anyway