Table of Contents
This process was approved by TSC vote on 7/22/20.
The process to objectively assess the security risk of 3rd party open source components or dependencies is outlined with consideration of the legacy way of performing the assessment, as well as the new process discussed within the project during the Hanoi development time frame.
The Process
The process should take into consideration relevant data such as the project's age, popularity / maturity, evidence of security practices, recent commit history, diversity of committers, established CVE practices, or other observable evidence. In terms of licensing compliance, ideal process should also consider the license associated to the component as well.
...
Approved Go Modules (those in Red are being investigated for replacement - avoid them if possible
...
See Approved Go Modules/Packages
Process Research
...
Explore Documentation: Issue-1947
...