Skip to content

deps: remove oauth2 in favor of bearerTransport#2462

Open
kotakanbe wants to merge 5 commits intomasterfrom
diet-oauth2
Open

deps: remove oauth2 in favor of bearerTransport#2462
kotakanbe wants to merge 5 commits intomasterfrom
diet-oauth2

Conversation

@kotakanbe
Copy link
Copy Markdown
Member

@kotakanbe kotakanbe commented Mar 16, 2026
edited
Loading

Why (motivation for removing this dependency)

  • golang.org/x/oauth2 provides the full OAuth2 authentication flow
  • Reason for removal: this project never uses OAuth2 flows — it only sets a static Bearer token in HTTP headers. Pulling in the entire OAuth2 library for this is overkill
  • go.mod impact: removed from direct deps. Remains as indirect (via trivy -> go-getter)

What (replacement details)

  • Replace oauth2.NewClient() with a 15-line bearerTransport (http.RoundTripper impl)
  • detector/github.go: added bearerTransport type + newBearerClient() function, replaced 2 call sites of oauth2.NewClient with newBearerClient(token)

Safety (why this is safe)

  • Risk level: low
  • Inspecting oauth2.NewClient source: for static tokens, it simply creates a Transport that adds Authorization: Bearer <token>. Our implementation does exactly this
  • Uses req.Clone() to avoid mutating the original request

Test plan

  • TestBearerTransport_SetsAuthorizationHeader - verifies the header is set to Bearer <token> using httptest
  • TestBearerTransport_ClonesRequest - verifies RoundTrip does not mutate original request headers
  • TestNewBearerClient_ReturnsValidClient - end-to-end: verifies the returned http.Client sends the correct token
  • go build ./cmd/... pass
  • go test ./detector/... pass

Review hint (how to review efficiently)

  1. Start with bearerTransport type + RoundTrip method (15 lines) — this is the core replacement
  2. Then check DetectGitHubSecurityAlerts and DetectGitHubDependencyGraph diffs — 4 lines of oauth2.* become 1 line newBearerClient(token)
  3. github_test.go covers the new implementation with 3 focused tests

🤖 Generated with Claude Code

kotakanbe and others added 5 commits March 16, 2026 13:04
@kotakanbe @claude
deps: remove oauth2 in favor of self-implemented bearerTransport
f54f85d 
Replace golang.org/x/oauth2 with a minimal bearerTransport
(http.RoundTripper) that sets the Authorization header. oauth2 was
only used to create an HTTP client with a static Bearer token, which
doesn't require the full OAuth2 library.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@kotakanbe @claude
test: add bearerTransport tests for oauth2 replacement
a1a9a18 
Verify that bearerTransport correctly sets Authorization Bearer header,
clones requests without modifying originals, and integrates properly
with http.Client.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@kotakanbe
Merge branch 'master' into diet-oauth2
be53062
@kotakanbe
Merge branch 'master' into diet-oauth2
e83cb8c
@kotakanbe
Merge branch 'master' into diet-oauth2
66f4425
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kotakanbe