drop transitive dependency on github.com/stretcher/testify for consumers #449
Description
🤷♂️ Did this trigger a warning in a consuming package you have? The dependency only comes in for running this package's unit tests, so it'd interesting & unexpected if the vulnerable dependency was being transitively picked up in the consumer.
bryan@air yolo % cat main.go
package main
import (
"github.com/aws/aws-lambda-go/lambda"
)
func main() {
lambda.Start(func() {})
}
bryan@air yolo % cat go.mod
module yolo
go 1.18
require github.com/aws/aws-lambda-go v1.32.0
bryan@air yolo % cat go.sum
github.com/aws/aws-lambda-go v1.32.0 h1:i8MflawW1hoyYp85GMH7LhvAs4cqzL7LOS6fSv8l2KM=
github.com/aws/aws-lambda-go v1.32.0/go.mod h1:IF5Q7wj4VyZyUFnZ54IQqeWtctHQ9tz+KhcbDenr220=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
ahh, must be because of the gitHub.com/aws/aws-lambda-go/test package being in the repo
https://github.com/aws/aws-lambda-go/blob/main/events/test/jsoncompare.go#L8
Originally posted by @bmoffatt in #446 (comment)
Dropping a go.mod into the folder might be sufficient to break the resolution for consumers, unless of course there's an explicit import of github.com/aws/aws-lambda-go/events/test.
May also consider deleting the package, as it doesn't provide value over direct use of testify in the _test.go files. However... I know I've seen an internal codebase of ours import from this package, so that'd be a breaking change for someone else's unit testing.