proposal: please consider another lib than https://github.com/spf13/cast

[ccoVeille]

You have a proposal, explain it!

This lib is still maintained but the way it converts integer is very strange

https://github.com/spf13/cast

Describe the solution you'd like

a conversion of -1 | toUint should lead to error

Additional context

Please take a look at https://github.com/ccoVeille/go-safecast

I'm not suggesting to use my lib, but you might see some other examples.

Of course, I would be honored if you consider my lib

Code of Conduct

• I agree to follow this project's Code of Conduct

[42atomys]

Hello, thanks to have opening an issue.

I have try with v1.0.0-rc.2 and the template {{ toUint -1 }} result to the error defined here https://github.com/spf13/cast/blob/master/caste.go#L527 :

template: test:1:8: executing "test" at <toUint .V>: error calling toUint: unable to cast negative value

Can you check your code and give me the part impacted

[ccoVeille]

I reported the issue by reading the documentation

The problem I found was here

https://github.com/spf13/cast/blob/487df0093482b2ca1c00cb3b92e30899c37038a1/caste.go#L287

A uint can overflow int64

you can take 9223372036854775807 that is the max and add 1, so 9223372036854775808 using toInt or toInt64 on it, should cause errors, but it doesn't.

I reported by using the example of a negative number because it was simpler to explain, but I wrongly assumed negative number could cause a problem too.

But please note, I might be wrong again 🤕

[42atomys]

@ccoVeille Hi 👋 After some investigation, I believe it would be better to incorporate the casting directly into sprout itself to only have what we want and how we want it !

[ccoVeille]

I'm fine with this.

You can copy paste my code its on MIT license.

[42atomys]

Can I let you manipulate and incorporate your code ?

Feel free to add an header of the internal/cast package to mention your works and this discussion:

// This package provides functions for type casting safely and efficiently.
// Addressing gosec G115 and cwe-190 Integer Overflow or Wraparound.
//
// This code are copied from https://github.com/ccoVeille/go-safecast after
// discussing with the author on https://github.com/go-sprout/sprout/issues/76.
// The original code is licensed under MIT License.

Thanks 🙏

[ccoVeille]

Can you remind me why you don't want to use my lib?

You are already using other libs

    dario.cat/mergo v1.0.1
    github.com/Masterminds/semver/v3 v3.3.1
    github.com/google/uuid v1.6.0
    github.com/mitchellh/copystructure v1.2.0
    github.com/spf13/cast v1.7.0
    github.com/stretchr/testify v1.10.0
    golang.org/x/crypto v0.29.0
    golang.org/x/text v0.20.0
    gopkg.in/yaml.v3 v3.0.1

[42atomys]

Hi, the idea arent to "don't use your lib", is to limit and reduce the number of dependencies. spf13/cast is currently imported for just a few methods. The library ccoVeille/go-safecast only supports number casting at the moment. To add other casting methods like ToString, ToBool, or ToDuration, Sprout would need to depend on one additional library (+1 deps).

To eliminate this, there are two possible solutions:

1. Implement all required casting methods in go-safecast and fully replace spf13/cast (+0 deps).
2. Implement only the necessary functions directly in Sprout, reducing the number of dependencies without requiring significant effort on your part. (-1 deps)

[ccoVeille]

Thanks for replying me. It's clearer.

I had planed and it's almost ready to cast as bool and string (for string, I will have to check what spf13/cast does)

I will also check what spf13/cast does for duration. It's unclear to me

[42atomys]

@ccoVeille, have you had a chance to look into adding the missing cast method to safe-cast?

[ccoVeille]

Not yet, I worked on my own roadmap and added the things I needed.

I released v1.5.0 yesterday. My lib is now stable.

Please open an issue on my project with the exact need.

I don't know yet if I will support everything.

My lib is focused on number overflows.