Cleanup & consolidate dependencies

[stoewer]

This is the parent/epic issue for reducing Tempo's supply-chain attack surface and tidying up go.mod.
A recent audit found multiple actionable items: unmaintained or deprecated packages with direct imports, multiple major versions of the same library in the graph, and small single-purpose libs that can be inlined.
Link issues and PRs that handle individual or multiple action items to the respective bullet point.

Note: this issue leave out changes related to github.com/gogo/protobuf and github.com/golang/protobuf because they are part of a bigger initiative

Remove

• github.com/pkg/errors #7235

  • Action: Drop the dependency; replace errors.Wrap(err, "msg") with fmt.Errorf("msg: %w", err) and use stdlib errors.Is / errors.As.
  • Importance: Medium
  • Reason: Quietly abandoned since 2020-01-14 (>5y). Go 1.13+ stdlib covers every API we use. Direct imports in 5 files (modules/livestore/partition_reader.go, pkg/ingest/reader_client.go, tempodb/encoding/vparquet{3,4,5}/block_autocomplete.go).

• chore(dep) replace davecgh/go-spew debug dumps #7295

  • Action: Remove direct usage; replace spew.ConfigState{}.Sdump(...) with fmt.Sprintf("%#v", ...). Package will remain as an indirect dep via testify; only our two direct imports need to go.
  • Importance: Low
  • Reason: Last commit 2018-02-21 (>7y); old-pseudo-version pin in our go.mod. Only 2 direct call sites (cmd/tempo-cli/cmd-query-trace-summary.go, pkg/traceql/ast_validate_test.go) and they're debug helpers.

• chore(deps) replace go-test/deep with google/go-cmp #7296

  • Action: Drop the dependency; switch the 2 call sites to github.com/google/go-cmp/cmp.Diff (already a direct dep, Google-maintained).
  • Importance: Low
  • Reason: Single-author lib used only in cmd/tempo-vulture (main.go + test). google/go-cmp is strictly better-maintained and already in the build.

Update

• chore(deps) migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 #7241

  • Action: Pure import-path migration for 5 call sites (cmd/tempo/app/app.go, cmd/tempo-cli/cmd-suggest-columns.go, pkg/docsgen/generate_manifest.go, 2 tests). Drop the gopkg.in/yaml.v3 direct require — go.yaml.in/yaml/v3 is already an indirect dep at v3.0.4.
  • Importance: High
  • Reason: gopkg.in/yaml.v3 last release was 2022-05; upstream go-yaml/yaml is unmaintained. The YAML community has taken over at go.yaml.in/yaml/v3 (same code, new canonical path, fresher tags). Currently we ship both copies for no reason. Blast radius ~175 modules.

• chore(deps) upgrade go-redis from v8 to v9 #7247

  • Action: Bump cache layer to v9 (pkg/cache/redis_cache.go, pkg/cache/redis_client.go, pkg/cache/redis_cache_test.go). v9 requires context.Context on every method. alicebob/miniredis/v2 works against v9, so the test fake stays.
  • Importance: High
  • Reason: v8 last commit 2022-11; v9 is the supported branch (same vendor, new module path under github.com/redis/...). Hot path — request-path cache.

• chore(deps) upgrade grpc-ecosystem/go-grpc-middleware from v1 to v2 #7246

  • Action: Migrate 2 files (modules/distributor/forwarder/otlpgrpc/forwarder.go, modules/frontend/interceptor/interceptor.go) to v2 and drop v1 from go.mod. v2 is already in the indirect graph; chain-construction API renamed.
  • Importance: Medium
  • Reason: v1 last release 2023-03; v2 is the actively-developed line and already in the build. Two major versions of the same package shipping for two import sites.

• chore(deps) upgrade evanphx/json-patch to v5 module path #7292

  • Action: Migrate the one import in modules/overrides/userconfigurable/api/api.go to the /v5 module path.
  • Importance: Low
  • Reason: We currently depend on the unversioned v0 line via the +incompatible shim, which is essentially frozen. The /v5 module path is the one that receives fixes and follows semver properly.

Replace

• Replace go-kit/log with log/slog #4819
  • Action: Migrate ~169 direct call sites to stdlib log/slog (Go 1.21+). Plan as a deliberate cross-cutting refactor; expect to touch every module.
  • Importance: Low
  • Reason: Last release 2022-04 (>3y); project in slow maintenance and most of the Go ecosystem is migrating to log/slog. No urgency, go-kit/log is stable and still works, but it should be the long-term direction.

Replace (with internal)

• chore(deps) replace github.com/segmentio/fasthash #7305

  • Action: Add a small pkg/util/fnv1a package (~25 LoC, well-known algorithm) and migrate the 8 importers. Verify hash output is byte-for-byte identica to segmentio/fasthash to preserves query-frontend cache keys across the upgrade and keep distributor sharding deterministic.
  • Alternative action: Swap to github.com/cespare/xxhash/v2 (already a direct dep). Introduce a small pkg/util/hash helper that wraps *xxhash.Digest to mirror the current HashString64/AddString64/AddUint64 chain style (~30 LoC). Upsides: xxhash64 has better performance and full 64-bit avalanche and passes SMHasher, this eliminates a latent cache-collision risk in cache_keys.go. Downsides: changes the hash output, so every entry in the persisted memcached/redis query-frontend cache becomes a miss on deploy until the cache rewarms.
  • Importance: Medium-High
  • Reason: Last release 2020-05; Segment archived much of its OSS in 2024. Imports in distributor, frontend sharder, livestore search, and vparquet rebatcher all use the fnv1a.HashString64 / AddString64 / AddUint64 chain API. Removing the dependency closes a stale supply-chain entry; the xxhash alternative additionally upgrades hash quality on cache-key paths.

• github.com/jsternberg/zap-logfmt #7307

  • Action: Build an in-tree zapcore.Encoder that wraps github.com/go-logfmt/logfmt (already a direct dep, actively maintained). Migrate the 4 callers (cmd/tempo-query/main.go, cmd/tempo-vulture/main.go, modules/distributor/forwarder/forwarder.go, modules/distributor/receiver/shim.go). ~80 LoC.
  • Importance: Medium
  • Reason: Last commit 2022-08; single maintainer. Our usage is one function (zaplogfmt.NewEncoder); the encoder contract is small and well-defined. Removes a single-maintainer dependency from a hot logging path.

• replace drone/envsubst with stdlib os.ExpandEnv #7310

  • Action: Replace the 2 envsubst.EvalEnv(string) call sites (cmd/tempo/main.go:178, modules/overrides/runtime_config_overrides.go:98) with stdlib os.Expand / os.ExpandEnv. If the bash-like ${X:-default} syntax is needed, ~40 LoC suffices.
  • Alternative action: update to github.com/drone/envsubst/v2 (same maintainer; fresher tags) if we'd rather keep an external implementation.
  • Importance: Medium
  • Reason: Latest release 2021-06 (>4y); Drone CI itself is on life-support. Two files, one function each — the minimal surface makes inlining attractive and removes any future risk if the project goes fully unmaintained.

• github.com/facette/natsort

  • Action: Inline a natural-order comparator into pkg/util (~30 LoC) and migrate pkg/cache/memcached_client_selector.go (+ its test).
  • Alternative action: swap to github.com/maruel/natural if we'd rather keep an external implementation with similar API.
  • Importance: Low
  • Reason: Last commit 2018-12 (>7y), single contributor, old-pseudo-version pin. Used in one place — sorting memcached server addresses naturally — with a tiny, well-known algorithm.

Postponed

• github.com/gorilla/mux
  • Action: Migrate the 12 importing files (cmd/tempo/app/app.go + 11 others) to stdlib net/http pattern routing (Go 1.22+).
  • Alternative action: github.com/go-chi/chi/v5 if we want more middleware ergonomics than stdlib offers.
  • Importance: Low
  • Reason: Latest release 2023-10-18; project in slow-maintenance mode (not officially deprecated, but very few commits). Go 1.22's http.ServeMux pattern matching covers our usage. Defer until we have a deliberate routing refactor. Not pressing while mux is still receiving patches.
  • Why not now: gorilla/mux is also used by dskit. Replacing the dependency should be synchronized with dskit.

[javiermolinar]

#4819

[piiiico]

I ran behavioral commitment scoring on the 10 direct deps you're targeting. The scores largely validate your prioritization — the packages you've flagged as "remove" or "replace with internal" are the weakest:

Package	Score	Contributors	Days Since Release
jsternberg/zap-logfmt	44	2	1,373
facette/natsort	49	3	2,725
segmentio/fasthash	56	5	1,059
drone/envsubst	62	13	1,806
davecgh/go-spew	68	18	2,827
go-kit/log	70	35	1,086
go-test/deep	71	12	156
gorilla/mux	89	35	706
go-redis/redis v8	94	35	1,635

One dep not on your list that scored similarly to fasthash: cristalhq/hedgedhttp (score 56, 6 contributors, 652 days since last release). It's in your direct deps for hedged HTTP requests — might be worth reviewing alongside the others.

Your proposed replacements all look healthy: go-chi/chi (91), redis/go-redis v9 (94), google/go-cmp (82).

Scored with proof-of-commitment — behavioral commitment scoring for Go, npm, PyPI, and Cargo packages.

[zhxiaogg]

Cross-checked #5750's abandoned-deps list — four items not yet tracked here:

Remove

• go.uber.org/atomic → stdlib sync/atomic (typed atomics since Go 1.19). 39 first-party files; mechanical. Medium.
• go.uber.org/multierr → stdlib errors.Join (Go 1.20). ~8 files; single PR. Medium.

Replace (with internal)

• github.com/grafana/otel-profiling-go → inline 50 LoC into pkg/tracing. One call site (pkg/tracing/tracing.go:54). Low.

Update

• github.com/hashicorp/golang-lru/v2 → maypok86/otter/v2 (already a direct dep). One call site (tempodb/backend/dedicated_columns_cache.go). Low.

The rest of #5750's list is either stable (xxhash/v2, google/uuid, go-humanize, goleak), a Grafana-owned fork (memberlist, e2e), or has no good alternative (hedgedhttp) — recommend leaving alone.