Mail.Ru easyjson library security concerns

[buchekalex]

Hello,

I would like to bring to your attention a concern regarding one of the dependencies used in the swaggo/swag library, specifically the easyjson library.

The easyjson library is developed by Mail.ru, a company controlled by the Russian government. Due to security policies and compliance checks within our company, we are not allowed to use any libraries or software developed by entities associated with the Russian government.

Request

To ensure the security and compliance of our projects, we kindly request that you consider replacing the easyjson library with an alternative solution. One viable option could be to use the standard encoding/json package provided by Go, which is well-supported and maintained.

We understand that this may require some changes to the codebase, and we appreciate your efforts in maintaining the security and integrity of the swaggo/swag library.

Potential Impact

Updating the dependency to a more secure and compliant library will help in:

• Enhancing the security of projects using swaggo/swag.
• Ensuring compliance with various organizational and governmental policies.
• Maintaining trust and reliability in the swaggo/swag library within the global developer community.

Thank you for your attention to this matter. We appreciate your consideration and look forward to your response.

[bbrodriges]

As far as I can see easyjson is used only in example directory and does not required for proper package operation.

[ubogdan]

This project is an Open Source and is maintained by a community, not a government.

The library is an indirect requirement and it comes from go-openapi and there is no way to remove it. If your company policy is so strict, you can write OAS specs by hand.

Thanks for raising the concern.