Don't vendor pkg/blackfriday?

[jas4711]

Hi!

This package vendor github.com/russross/blackfriday as github.com/smallstep/cli-utils/pkg/blackfriday.

What is the reason for this vendoring of an external package?

Is it verbatim or do you make critical (or cosmetic..) changes?

I help maintain smallstep/cli-utils for Debian, and there is a preference to not vendor code because it is a security nightmare in case of a security bug in some code that is vendored all over the OS.

Thus, we have patched smallstep/cli-utils to use the version of russross/blackfriday that is available with Debian:

https://salsa.debian.org/go-team/packages/golang-github-smallstep-cli-utils/-/blob/debian/latest/debian/patches/0002-Do-not-vendor-blackfriday.patch?ref_type=heads

All self-tests passes and we haven't received any reports about problems related to this.

However, patching things like this is also a concern, especially when not reported or discussed with upstream. So I wanted to bring this up with you, to have a discussion.

Any thoughts or input on this appreciated.

Thanks,
Simon

[hslatman]

Based on #109, some logic was customized. What exactly, I don't know. Based on just the diff of the directory with the latest blackfriday it's not easy to tell, but that can also be due to changes having been made to blackfriday later. @maraino do you remember or have some notes on it?

Rendering the markdown is primarily used to update our (hosted) docs for certain projects, like cli. So, in general, it's not a functionality many people rely on in their day-to-day, as there's no real need to do step help --markdown, for example. It might be an option to change to using the original blackfriday or an alternative markdown processor if the output can be made similar (enough).