Feature request: Use go workspaces to remove http module from dependents

[CVE-2022-31022](https://github.com/advisories/GHSA-9w9f-6mg8-jp7w) is currently an advisory on the Bleve package due to the `http` package -- this is entirely understandable and correct. However, due to the `http` package's presence in the root module, any app that depends on bleve will also get this advisory by security scanning tools (e.g. AWS Inspector).

One example is in Grafana: `docker scout cves grafana/grafana:latest`:

```
$ docker scout cves grafana/grafana:latest
...
## Packages and Vulnerabilities
   0C     0H     1M     0L  github.com/blevesearch/bleve/v2 2.4.3
pkg:golang/github.com/blevesearch/bleve@2.4.3#v2

    ✗ MEDIUM CVE-2022-31022
      https://scout.docker.com/v/CVE-2022-31022
      Affected range : >=0
      Fixed version  : not fixed
```

To solve this, I'd like to request the bleve repository to use [Go workspaces](https://go.dev/doc/tutorial/workspaces). This would let us depend on all of Bleve _except_ for its example code, and solve the CVE we have reported on our software.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feature request: Use go workspaces to remove http module from dependents #2140

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Feature request: Use go workspaces to remove http module from dependents #2140

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions