Viper go-difflib library v1.0.0 reached End Of Life

Preflight Checklist

• [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
• [X] I am not looking for support or already pursued the available support channels without success.
• [X] I have checked the troubleshooting guide for my problem, without success.

Viper Version

1.19.0

Go Version

1.22.4

Config Source

Defaults

Format

No response

Repl.it link

No response

Code reproducing the issue

No response

Expected Behavior

Latest version depends on EOL library go.mod: github.com/pmezard/go-difflib v1.0.0, which raises security concerns

Actual Behavior

An easy way to check, is to download the master branch and do a grep -r go-difflib. The output is the following:

go.mod: github.com/pmezard/go-difflib v1.0.0 // indirect
go.sum:github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
go.sum:github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
remote/go.sum:github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
remote/go.sum:github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
remote/go.sum:github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=

Steps To Reproduce

No response

Additional Information

No response

Comment From: github-actions[bot]

👋 Thanks for reporting!

A maintainer will take a look at your issue shortly. 👀

In the meantime: We are working on Viper v2 and we would love to hear your thoughts about what you like or don't like about Viper, so we can improve or fix those issues.

⏰ If you have a couple minutes, please take some time and share your thoughts: https://forms.gle/R6faU74qPRPAzchZ9

📣 If you've already given us your feedback, you can still help by spreading the news, either by sharing the above link or telling people about this on Twitter:

https://twitter.com/sagikazarmark/status/1306904078967074816

Thank you! ❤️

Comment From: sagikazarmark

I can see you've opened an issue in testify that actually depends on this module: stretchr/testify#1618

There isn't much we can do here. It's not going to be compiled into the final binary, because we don't use it anywhere, but in tests.

Comment From: github-actions[bot]

Issues with no activity for 30 days are marked stale and subject to being closed.

Comment From: ccoVeille

testify resolved it by vendoring go-difflib

• https://github.com/stretchr/testify/pull/1708

See https://github.com/stretchr/testify/issues/1159#issuecomment-3281982413

Next testify release will solve this