fix(deps): revert koanf to v1.5

[fzipi]

While the update works for go-ftw, koanf v2 is not used in other dependent libraries and breaks when used.

E.g. corazawaf/coraza#908

[theseion]

I don't understand the issue. All they need to do is the same that I've done, which is to use koanf/v2 and add koanf/providers/yaml etc. as indirect dependencies. I just tried it on the branch of that PR for Coraza.

[fzipi]

The problem is this: I learned that dependencies might also pull koanf. But they pull v1. Because of that, there is a namespace collision upstream. So, to move forward, we might need to change our code and include v2 but use it in a different namespace, like koanf2 or something. We can do that now and see if it works instead of downgrading....

[fzipi]

The error:

Error: ../../../go/pkg/mod/github.com/knadh/koanf/v2@v2.0.1/koanf.go:11:2: ambiguous import: found package github.com/knadh/koanf/maps in multiple modules:
	github.com/knadh/koanf v1.4.4 (/home/runner/go/pkg/mod/github.com/knadh/koanf@v1.4.4/maps)
	github.com/knadh/koanf/maps v0.1.1 (/home/runner/go/pkg/mod/github.com/knadh/koanf/maps@v0.1.1)
FAIL

[fzipi]

The dependency graph:

❯ go mod graph | grep koanf
github.com/corazawaf/coraza/v3/testing/coreruleset github.com/knadh/koanf@v1.4.4
github.com/corazawaf/coraza/v3/testing/coreruleset github.com/knadh/koanf/v2@v2.0.1
github.com/coreruleset/go-ftw@v0.6.3 github.com/knadh/koanf/parsers/yaml@v0.1.0
github.com/coreruleset/go-ftw@v0.6.3 github.com/knadh/koanf/providers/env@v0.1.0
github.com/coreruleset/go-ftw@v0.6.3 github.com/knadh/koanf/providers/file@v0.1.0
github.com/coreruleset/go-ftw@v0.6.3 github.com/knadh/koanf/providers/rawbytes@v0.1.0
github.com/coreruleset/go-ftw@v0.6.3 github.com/knadh/koanf/v2@v2.0.1
github.com/coreruleset/go-ftw@v0.6.3 github.com/knadh/koanf/maps@v0.1.1
github.com/knadh/koanf@v1.4.4 github.com/aws/aws-sdk-go-v2@v1.9.2
github.com/knadh/koanf@v1.4.4 github.com/aws/aws-sdk-go-v2/config@v1.8.3
github.com/knadh/koanf@v1.4.4 github.com/aws/aws-sdk-go-v2/credentials@v1.4.3
github.com/knadh/koanf@v1.4.4 github.com/aws/aws-sdk-go-v2/service/appconfig@v1.4.2
github.com/knadh/koanf@v1.4.4 github.com/aws/aws-sdk-go-v2/service/sts@v1.7.2
github.com/knadh/koanf@v1.4.4 github.com/fatih/structs@v1.1.0
github.com/knadh/koanf@v1.4.4 github.com/fsnotify/fsnotify@v1.4.9
github.com/knadh/koanf@v1.4.4 github.com/hashicorp/consul/api@v1.13.0
github.com/knadh/koanf@v1.4.4 github.com/hashicorp/hcl@v1.0.0
github.com/knadh/koanf@v1.4.4 github.com/hashicorp/vault/api@v1.0.4
github.com/knadh/koanf@v1.4.4 github.com/hjson/hjson-go/v4@v4.0.0
github.com/knadh/koanf@v1.4.4 github.com/joho/godotenv@v1.3.0
github.com/knadh/koanf@v1.4.4 github.com/mitchellh/copystructure@v1.2.0
github.com/knadh/koanf@v1.4.4 github.com/mitchellh/mapstructure@v1.5.0
github.com/knadh/koanf@v1.4.4 github.com/npillmayer/nestext@v0.1.3
github.com/knadh/koanf@v1.4.4 github.com/pelletier/go-toml@v1.7.0
github.com/knadh/koanf@v1.4.4 github.com/rhnvrm/simples3@v0.6.1
github.com/knadh/koanf@v1.4.4 github.com/spf13/pflag@v1.0.5
github.com/knadh/koanf@v1.4.4 github.com/stretchr/testify@v1.7.0
github.com/knadh/koanf@v1.4.4 go.etcd.io/etcd/client/v3@v3.5.4
github.com/knadh/koanf@v1.4.4 gopkg.in/yaml.v3@v3.0.1
github.com/knadh/koanf/v2@v2.0.1 github.com/knadh/koanf/maps@v0.1.1
github.com/knadh/koanf/v2@v2.0.1 github.com/mitchellh/copystructure@v1.2.0
github.com/knadh/koanf/v2@v2.0.1 github.com/mitchellh/mapstructure@v1.5.0
github.com/knadh/koanf/v2@v2.0.1 github.com/mitchellh/reflectwalk@v1.0.2

[theseion]

From what I can see, they only pull in koanf because of go-ftw, and that only in the testing/coreruleset module. Here's the updated go.mod file for that module:

module github.com/corazawaf/coraza/v3/testing/coreruleset

go 1.18

require (
	github.com/bmatcuk/doublestar/v4 v4.6.1
	github.com/corazawaf/coraza-coreruleset v0.0.0-20230330101229-43b851256042
	github.com/corazawaf/coraza/v3 v3.0.4
	github.com/coreruleset/go-ftw v0.6.3
	github.com/rs/zerolog v1.31.0
)

require (
	github.com/Masterminds/goutils v1.1.1 // indirect
	github.com/Masterminds/semver v1.5.0 // indirect
	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
	github.com/corazawaf/libinjection-go v0.1.2 // indirect
	github.com/fatih/color v1.15.0 // indirect
	github.com/fsnotify/fsnotify v1.6.0 // indirect
	github.com/goccy/go-yaml v1.9.2 // indirect
	github.com/google/uuid v1.4.0 // indirect
	github.com/huandu/xstrings v1.3.3 // indirect
	github.com/icza/backscanner v0.0.0-20230330133933-bf6beb754c70 // indirect
	github.com/imdario/mergo v0.3.13 // indirect
	github.com/knadh/koanf/maps v0.1.1 // indirect
	github.com/knadh/koanf/parsers/yaml v0.1.0 // indirect
	github.com/knadh/koanf/providers/env v0.1.0 // indirect
	github.com/knadh/koanf/providers/file v0.1.0 // indirect
	github.com/knadh/koanf/providers/rawbytes v0.1.0 // indirect
	github.com/knadh/koanf/v2 v2.0.1 // indirect
	github.com/kyokomi/emoji/v2 v2.2.12 // indirect
	github.com/magefile/mage v1.15.0 // indirect
	github.com/mattn/go-colorable v0.1.13 // indirect
	github.com/mattn/go-isatty v0.0.19 // indirect
	github.com/mitchellh/copystructure v1.2.0 // indirect
	github.com/mitchellh/mapstructure v1.5.0 // indirect
	github.com/mitchellh/reflectwalk v1.0.2 // indirect
	github.com/petar-dambovaliev/aho-corasick v0.0.0-20230725210150-fb29fc3c913e // indirect
	github.com/tidwall/gjson v1.17.0 // indirect
	github.com/tidwall/match v1.1.1 // indirect
	github.com/tidwall/pretty v1.2.1 // indirect
	github.com/yargevad/filepathx v1.0.0 // indirect
	golang.org/x/crypto v0.15.0 // indirect
	golang.org/x/net v0.18.0 // indirect
	golang.org/x/sync v0.5.0 // indirect
	golang.org/x/sys v0.14.0 // indirect
	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
	gopkg.in/yaml.v3 v3.0.1 // indirect
	rsc.io/binaryregexp v0.2.0 // indirect
)

[theseion]

The namespace thing I'm not familiar with. I'll have to look into that.

[fzipi]

It is just the name used when importing. If you do:

import (
    "github.com/knadh/koanf"
    "github.com/knadh/koanf/v2"
)

then you'll have a collision because both are imported as "koanf". Tipically you use it like:

import (
    "github.com/knadh/koanf"
    koanfv2 "github.com/knadh/koanf/v2"
)

So there is a way to make both versions work. The first one will be "koanf" and the second "koanfv2".

[theseion]

I see. We can certainly do that. I'm trying to think how this will play out, because at some point I would want to drop koanf for koanf/v2 completely. Say we do this now and people update, if they clean up their go.mod files properly, koanf should be replaced with koanfv2. Then, in a future version, we can drop koanfv2 again and since the go.mod files will no longer contain a references to koanf it should just work. Does that make sense?

[theseion]

Do you still want to first revert to koanf or should we just make that namespace change in this PR?

[fzipi]

Let's to the namespace change instead. I'll push the changes here.

[fzipi]

Moved to #212 instead. If that doesn't work, we can push this one.