Meet Voorhees, a tool to detect Zombie Go dependencies

Image for post
Image for post

It’s common knowledge that dependencies are both amazing and terrible. On one hand, they can help you build your product faster by focusing on core logic, offload complex work, fill a knowledge gap, etc. On the other hand, you don’t own the code you are adding and you have to trust the people who maintain them.

Luckily, Gophers tend to be more cautious than others when it comes to using dependencies. The main idea is to pick a dependency if it fits one of those criteria:

But even with this you’re not safe. A few years ago satori/go.uuid was the to-go dependency to use if you wanted to generate UUIDs. Sadly, this project is no longer maintained (the owner is MIA) and contains bugs and CVEs. The question is how many people actually know about this? Chances are people are still creating new projects using it because it has 4k stars on Github and/or because they were already using it on another project, so they don’t even check anymore. Last week, Dan Lorenc wrote an article about this type of dependencies, calling them Zombie Dependencies.

This is where Voorhees comes to play. Voorhees (named after everyone’s favorite zombie Jason Voorhees from Friday 13th) is a very simple tool that analyzes your direct dependencies and reports the ones that haven’t been updated in the last X months/weeks. The idea is not to throw stones at maintainers for not updating their dependencies often enough or for not releasing fast enough, but instead to make people more aware of what’s happening with the dependencies they are using.

Voorhees can be used by downloading a binary, through Docker, or can be triggered through a Github Action.

❯ go list -json -m -u all | voorhees
| | 13 months ago (2019/12/05) |
| | 12 months ago (2020/01/14) |
| | 16 months ago (2019/09/18) |

The main question is what should we do when we have a dependency that hasn’t been updated in a while? There is no magic answer to that. Switching to a different library is not necessarily the correct move, and you should not expect a dependency to get weekly or monthly releases. The main thing to do is to look at why this dependency hasn’t been updated.

Ultimately you want to check if there is any sort of activity in the repository.

Ultimately you should see a red flag if there are many PRs and issues opened with no maintainers looking at them. If that’s the case you might want to start looking for a potential fork or for a different library. Otherwise, you can tell Voorhees to either ignore the dependency or you can set a different expiration time for this specific dep. If there is some activity in the main branch but no releases in the last 6 months, maybe you can increase the date to 1 year and see if something changed by then. If not, you can look deeper into it and maybe reach out to the maintainers.

The current version of Voorhees only looks at direct dependencies and the date of the latest release, but I already have many ideas of useful features that can be added:

To get started with Voorhees, head over to the Github repository.

Staff Engineer at Abstract, Splice. I love Go, and I love Git. https://melvin.la

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store