Hi Richard — we're using go-syncmap in axonops/go-audit for type-safe concurrent map access in the event filtering path. The library works great and the code is solid.
We've been doing a supply chain security review of all our dependencies (tracked in axonops/audit#158) since go-audit is aimed at regulated environments where consumers need to audit their entire dependency chain. A few things would help us (and any other downstream consumers) when doing these reviews:
1. CI workflow
A basic GitHub Actions workflow running go test -race ./... and go vet ./... on push/PR. Even a minimal one gives downstream projects confidence that changes are tested before tagging a release. Happy to submit a PR for this if you'd like.
2. SECURITY.md
A short file pointing to GitHub Security Advisories for vulnerability reporting. Most automated supply chain tools (OpenSSF Scorecard, Snyk, etc.) check for this and penalise projects without one.
3. README badges
CI status, Go Reference (pkg.go.dev), and licence badges. These help automated tools assess project health at a glance.
4. Dependabot (optional)
Since the library has no external dependencies this is mostly cosmetic, but having it configured signals active maintenance to automated scanners.
None of these are urgent and the library works perfectly as-is — these are just things that would help us tick the boxes for our security audits. Happy to help with PRs for any of these if useful.
Tracking: axonops/audit#158
Hi Richard — we're using go-syncmap in axonops/go-audit for type-safe concurrent map access in the event filtering path. The library works great and the code is solid.
We've been doing a supply chain security review of all our dependencies (tracked in axonops/audit#158) since go-audit is aimed at regulated environments where consumers need to audit their entire dependency chain. A few things would help us (and any other downstream consumers) when doing these reviews:
1. CI workflow
A basic GitHub Actions workflow running
go test -race ./...andgo vet ./...on push/PR. Even a minimal one gives downstream projects confidence that changes are tested before tagging a release. Happy to submit a PR for this if you'd like.2. SECURITY.md
A short file pointing to GitHub Security Advisories for vulnerability reporting. Most automated supply chain tools (OpenSSF Scorecard, Snyk, etc.) check for this and penalise projects without one.
3. README badges
CI status, Go Reference (
pkg.go.dev), and licence badges. These help automated tools assess project health at a glance.4. Dependabot (optional)
Since the library has no external dependencies this is mostly cosmetic, but having it configured signals active maintenance to automated scanners.
None of these are urgent and the library works perfectly as-is — these are just things that would help us tick the boxes for our security audits. Happy to help with PRs for any of these if useful.
Tracking: axonops/audit#158