fix(deps): replace gopkg.in/yaml.v3 with github.com/goccy/go-yaml #89
@@ -9,7 +9,7 @@ JSON is awkward for persona files that contain multi-line text (identity, severi
|
|||||||
- Backwards compatibility: existing JSON personas must continue to work
|
- Backwards compatibility: existing JSON personas must continue to work
|
||||||
- Security: protect against DoS via deeply nested YAML (AIKIDO-2024-10486)
|
- Security: protect against DoS via deeply nested YAML (AIKIDO-2024-10486)
|
||||||
- Consistency: use `.yaml` extension (not `.yml`)
|
- Consistency: use `.yaml` extension (not `.yml`)
|
||||||
- Library: use `gopkg.in/yaml.v3` (approved in CONVENTIONS.md) with explicit depth limiting
|
- Library: use `github.com/goccy/go-yaml` v1.16.0+ (approved in CONVENTIONS.md); has built-in depth protection via `MaxYAMLDepth`/`MaxYAMLNodes` constants
|
||||||
|
|
|||||||
|
|
||||||
## Proposed Approach
|
## Proposed Approach
|
||||||
gpt-review-bot
commented
[MINOR] Documentation states the library’s built-in depth protection (MaxYAMLDepth/MaxYAMLNodes decoder options) is used instead of manual checks, but the code still performs an AST-based depth/node count walk before decoding. Update the design doc to reflect the current implementation or use the library-provided options if intended. **[MINOR]** Documentation states the library’s built-in depth protection (MaxYAMLDepth/MaxYAMLNodes decoder options) is used instead of manual checks, but the code still performs an AST-based depth/node count walk before decoding. Update the design doc to reflect the current implementation or use the library-provided options if intended.
|
|||||||
|
|
||||||
@@ -63,7 +63,7 @@ func checkYAMLDepth(node *yaml.Node, depth, maxDepth int) error {
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
The `gopkg.in/yaml.v3` library does not have built-in depth protection, so we implement explicit depth checking by first decoding into a `yaml.Node`, walking the tree to verify depth (including alias resolution), then decoding into the target struct.
|
The `github.com/goccy/go-yaml` library provides built-in depth protection via `MaxYAMLDepth` and `MaxYAMLNodes` decoder options. We use these instead of a manual depth-checking walk.
|
||||||
sonnet-review-bot
commented
[NIT] The design doc still contains the old **[NIT]** The design doc still contains the old `gopkg.in/yaml.v3`-based code sample for `unmarshalYAMLWithDepthLimit` and `checkYAMLDepth` (using `yaml.Node` and `yaml.AliasNode`) from the original implementation. These code snippets now describe a design that was NOT implemented — the actual implementation uses the `goccy/go-yaml` AST approach. The design doc should be updated to reflect the actual implementation, or the code samples removed/replaced.
|
|||||||
|
|
||||||
## State/Data Model
|
## State/Data Model
|
||||||
|
|
||||||
|
|||||||
[MINOR] The design doc claims using go-yaml's built-in depth protection via MaxYAMLDepth/MaxYAMLNodes instead of a manual depth walk, but the implementation still performs a custom AST depth/node-count check. Update the doc to reflect the actual approach or adopt the library's built-in options if available.
[NIT] The design document still contains the pseudocode showing the old gopkg.in/yaml.v3 api (yaml.Node, yaml.NewDecoder, etc.) with a note saying it's outdated. Consider either removing the old pseudocode entirely or replacing it with the actual implementation approach, since having misleading pseudocode in design docs can confuse future contributors.