golines is one of many useful go code formatting tools. When I went to install it on my machine one of the dependencies that was installed with it caught my eye as it flew past: golang.org/x/crypto. I have no good association with the word “crypto.” Turns out it’s a reputable go cyrptography library, not some crypto scam that’s been hacked into the golang tool chain. But, still, why does a code formatter that wraps long lines need a cryptography library?
$ go install github.com/segmentio/golines@latest
go: downloading github.com/segmentio/golines v0.12.2
go: downloading github.com/dave/dst v0.27.3
go: downloading github.com/x-cray/logrus-prefixed-formatter v0.5.2
go: downloading github.com/fatih/structtag v1.2.0
go: downloading gopkg.in/alecthomas/kingpin.v2 v2.2.6
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading golang.org/x/term v0.16.0
go: downloading golang.org/x/sys v0.16.0
go: downloading github.com/alecthomas/units v0.0.0-20231202071711-9a357b53e9c9
go: downloading github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
go: downloading github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
go: downloading golang.org/x/crypto v0.18.0
go: downloading github.com/mattn/go-colorable v0.1.13I did a search on the golines repository for “crypto”
The only reference in the code base is in the modules directory. From the go docs we see that “An // indirect comment denotes a module that does not provide a package imported by a package in the main module.”
This bounces us to indirect dependency which states “indirect dependency: A package transitively imported by a package or test in the main module, but whose path does not appear in any import declaration in the main module; or a module that appears in the module graph but does not provide any package directly imported by the main module. (Compare direct dependency.)“
There is an interesting tool called go mod graph that helps analyze go dependency trees. So I cloned golines onto my local machine and ran go mod graph
$ go mod graph | grep crypto
github.com/segmentio/golines golang.org/x/crypto@v0.18.0
golang.org/x/crypto@v0.18.0 golang.org/x/net@v0.10.0
golang.org/x/crypto@v0.18.0 golang.org/x/sys@v0.16.0
golang.org/x/crypto@v0.18.0 golang.org/x/term@v0.16.0
golang.org/x/crypto@v0.18.0 golang.org/x/text@v0.14.0This doesn’t help. But go mod why fares better:
$ go mod why -m golang.org/x/crypto
# golang.org/x/crypto
github.com/segmentio/golines
github.com/x-cray/logrus-prefixed-formatter
golang.org/x/crypto/ssh/terminalgithub.com/x-cray/logrus-prefixed-formatter is imported by main (as prefixed) for logging, and this imports terminal which has a “deprecated” message on it.
In any case, I wish there was a way to disable features on packages and prevent them from bringing in dependencies. Logging is useful when something is going wrong, but most of the time an end user won’t need it, especially for a code formatter that is working behind the scenes via an editor plugin … Bleh to bloat.
Pages from the fire 
Ah!… I was wondering about why so many of my projects need an “indirect” dependency of the crypto library.
Then again, `github.com/x-cray/logrus-prefixed-formatter` hasn’t been updated in the past seven years (at the date of this article), so one might consider either submitting a tiny PR to them, or to tell the `golines` team to use the `terminal` package instead.
Bummer — I thought that you had already added Markdown support on the WP comments 🙂 Oh well. The above comment is still readable enough I guess…
Sorry, I just use whatever the free wordpress offers. Yes, it would be a good idea to ping the golines team …
Thanks for reading.