What to do about archived go dependencies?

Hey gang!

There was mention somewhere last week that mitchellh (Mitchell Hashimoto) · GitHub archived a bunch of their repos as they’ve moved on from Go development to something else, zig?

Anyway, I wondered, other than Mitchell’s Go projects that we depend on, how many others have been archived. So I wrote a script, and here’s the result after pointing it at Syft, Grype, Grant and Stereoscope as a test. I can scan all the other open source repos, but figured I’d start the conversation with what we have here:

Do we have a plan for “dealing” with these?

All

Grype & Syft

Grype

Grant

It looks like we should probably update to use the Viper fork of mapstructure anywhere we’re directly depending on it: GitHub - go-viper/mapstructure: Go library for decoding generic map values into native Go structures and vice versa., especially since we’re already pulling this in with Viper updates.