Remove unmaintained direct dependencies in routing-release #525
Description
Proposed Change
As CF ARP WG
I want to only use maintained dependencies
So that I am not exposed to the need of huge refactoring under time-pressure.
Current unmaintained deps
Some of the direct dependencies in routing-release are no longer maintained by an active community. Via this issue, we list them and offer alignment across the working group if any of them are addressed
- https://github.com/rcrowley/go-metrics: Archived in 2025, used for metrics of the /varz endpoint of gorouter. Alternatives listed here: https://github.com/rcrowley/go-metrics?tab=readme-ov-file#archived-as-of-april-1-2025
- https://github.com/tedsuo/ifrit: See Eliminate dependency to unmaintained repo tedsuo/ifrit #524
- https://github.com/cloudfoundry/sonde-go (and https://github.com/cloudfoundry/dropsonde): Deprecated, use loggregator v2 and https://github.com/cloudfoundry/go-loggregator
- https://github.com/go-yaml/yaml (gopkg.in/yaml.v3): No longer maintained from April 2025. Alternatives exist and taking over responsibility as CF community might be an option similar to ifrit.
- https://github.com/openzipkin/zipkin-go: Used to set and propagate b3-tracing-headers, not much traction during 2025, but community still exists and is open to trigger bumps in case of CVEs. It could still be checked if this feature is heavily used or if a deprecation should be triggered, e.g. pushing to move to w3c-tracing
Additionally, a list of candidates for routing-api which were not yet evaluated more closely:
- github.com/cactus/go-statsd-client
- github.com/go-sql-driver/mysql
- github.com/jinzhu/gorm
- github.com/lib/pq
- github.com/tedsuo/rata
- github.com/vito/go-sse
- github.com/golang-jwt/jwt/v4
Acceptance criteria
For each dependency, a replacement is found or a decision is taken to accept the current risk
Related links
No response