-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Add golanci/golint to github actions #18
Conversation
Signed-off-by: Alistair Hey <[email protected]>
6a0e3b4
to
651b386
Compare
Signed-off-by: Alistair Hey <[email protected]>
dc8fa70
to
2b7973c
Compare
adding error checking may have uncovered a bug - going to take a look a little later |
if _, err = io.Copy(buf, res.Body); err != nil { | ||
fatal(err) | ||
} | ||
if err = res.Body.Close(); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not very useful to panic in this situation.
An error when closing a response.Body can be ignored - the client has gone anyway.
This is an example where using golangci-lint does not improve the code,
but makes it unnecessarily convoluted.
The Go stdlib wil notpass golangci-lint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR does not improve the code.
The choices made by golangci are questionable.
I would run go vet, but not golangci.
Also I would remove support for any versions < 1.15
I agree with you, that golangci should be taken with a grain of salt. So maybe it would make sense to start with a
This is something that we need to be very careful about in my opinion. The original project did not have a |
We should fix all the warning from go vet. And I would argue that golangci should be abandoned, as it includes too many questionable
The current Go version is 1.16. 1.17 is now in public beta and should be released within a month or two. |
I am not trying to start a heated discussion about versioning policies here, but explain a little bit the reasoning behind my remarks. Me, personally: I am a big favour of always updating as soon as possible and I am a big fan of dependabot, renovate, etc. to always pull in the newest versions (decent test coverage needed of course). Me, as one of the maintainers of this library: I try to not be opinionated about the usage of this library or the constraints the users might have with regards to versions. The goal was (and still is) to provide a 1:1 drop-in replacement for https://github.com/dgrijalva/jwt-go while fixing some of the known issues. Since we are taking "over" existing work, we wanted to follow the ideas of the original author (and other contributors) as close as possible. Without reading their minds, that is a hard thing to do, so a lot of it is some guess work or trying to read what was written in the various documentation files. We have done that with the What I meant with "minimum version requirement" is that the Now, as said before, moving forward, we will most likely drop older versions, mainly because we want to use features of the newer language version. We also do not want to discourage people from creating PRs with newer versions. So this is a tricky thing and it will probably take some time to be properly adjusted. I hope that clarifies my standpoint here a little bit better. |
Go is an opinionated language, and the Go community is opinionated when it comes to supported versions. |
It's common to support only the 2 most recent major releases of Go. I can't pretend to have studied all of these vulnerabilities - but Go do have a fair few vulnerabilities in the langauge and I'd rather signal our support of newer versions via go mod. We made a release that fixes the vulnerability and provided a drop in replacement, seems reasonable to tighten things up moving forward to me |
Regarding linters, go vet is decent others is noisy and questionable, used to like staticcheck but even that is turning into a rubocop like cancer causing constant churn in code bases for no good reason. |
Yes, we have to take security very seriously in a JWE library. |
I agree that linters an be a PITA but I like to see the static analysis side of it as many of their analyzers aren't style only and help catch bugs before even showing at runtime. How bureaucratic the process is is up to the linter's configurability and the codebase's configuration That said, I'd like to continue with some static analysis step (be it golangci-lint or staticcheck) but with a custom configuration for this project that suits the codebase and marks the really important findings |
Historically I've used/encountered One way or another, having something is probably better than nothing at least to conform to some "style", which we'll probably figure out with time. |
I played around with Update: this was a configuration issue, the comment checks (which I really like) were not enabled by default |
closing because it was contentious. |
Add golangci linting to ensure consistent code standards.
Signed-off-by: Alistair Hey [email protected]