The gopkg.in/yaml.v3 dependency is a build risk #409
Description
Hi, I'm from the AWS CDK team.
Your dependency on gopkg.in/yaml.v3 involves an external site: gopkg.in. As of today, any attempt to fetch a package from this site fails with the error:
go: gopkg.in/[email protected]: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /go/pkg/mod/cache/vcs/9241c28341fcedca6a799ab7a465dd6924dc5d94044cbfabb75778817250adfc: exit status 128:
error: RPC failed; HTTP 502 curl 22 The requested URL returned error: 502 Bad Gateway
fatal: The remote end hung up unexpectedly
This site seems to be run by a single person called Gustavo Niemeyer. It doesn't look like there is an SLA on this website, and there is no reasonable expectation of this person investing timely effort into fixing their site. In the mean time, any build involving aws-lambda-go will fail.
Currently for us, since our PR validation build (and release pipeline) does a go build involving aws-lambda-go, it looks like we cannot merge any PR and not release any version of CDK because of this.
It seems problematic that we are at the mercy of the volunteer efforts by a single person in order to successfully complete a build involving this AWS-vended library. I would ask you to find replacements for any dependencies that come from gopkg.in. Their presence constitutes an availability risk.