Bug 1889252 - The operator SDK 0.17 pull package with non-permitted package (bou.ke/monkey)
Summary: The operator SDK 0.17 pull package with non-permitted package (bou.ke/monkey)
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Operator SDK
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Jesus M. Rodriguez
QA Contact: Fan Jia
Depends On:
TreeView+ depends on / blocked
Reported: 2020-10-19 07:45 UTC by peter ducai
Modified: 2020-10-19 17:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-19 15:02:00 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description peter ducai 2020-10-19 07:45:10 UTC
Description of problem:

The operator SDK 0.17 pull sin package https://github.com/bouk/monkey/ through the dependency graph. The license terms on this package are at https://github.com/bouk/monkey/blob/master/LICENSE.md and say 'I do not give anyone permissions to use this tool for any purpose. Don't use it.'

This appears to have been fixed in the Operator SDK 0.18, but customer is not able to update to that at the moment due to breaking changes. Can a backport/fix be provided for 0.17?
This package is pulled in indirectly through the operator SDK dependency on  github.com/otiai10/copy and github.com/otiai10/mint. Using  operator-sdk 0.17. It causes this non-permitted package to be pulled into a wide number of IBM operators

Version-Release number of selected component (if applicable):
operator-sdk 0.17

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 1 Jesus M. Rodriguez 2020-10-19 14:30:00 UTC
This issue has been fixed in later versions of the Operator SDK. We recommend upgrading to a newer version of the Operator SDK. We have no plans to update the v0.17.x.

In the short term you could upgrade to v0.19.4 which supports the older operator scaffolding. https://v0-19-x.sdk.operatorframework.io/docs/migration/

If you want to prepare for the longer term, consider migrating to the latest Operator SDK version v1.1.0:

Note You need to log in before you can comment on or make changes to this bug.