Consider removing easyjson dependency due to sanction concerns

[alexandear]

This project has an indirect dependency on github.com/mailru/easyjson, a Go library with maintainers based in Russia and affiliated with VK Group. VK Group has known ties to the Russian government and a history of cooperating with Russian security services, including sharing user data.

According to the Hunted Labs report, "The Russian Open Source Project That We Can’t Live Without", this dependency poses a significant supply chain risk. A compromised easyjson library could lead to severe consequences, including:

• Supply chain backdoors
• Remote code execution
• Espionage
• Data exfiltration
• Potential "kill switch" functionality

To mitigate these risks, I propose to remove this indirect dependency.

Dependency that rely on easyjson is github.com/wk8/go-ordered-map/v2

[daveshanley]

Oh dear.

This is one of the reasons why I avoid dependencies. Let me see how I can decouple this. It's probably going to require some forking.

[daveshanley]

I can't remove it, without providing an alternative. The solution is to fork it and re-build the parts that depend on easyjson using the standard library.

[daveshanley]

easyjson has been removed from our supply chain.

Thank you for the alert.

https://github.com/pb33f/libopenapi/releases/tag/v0.25.1

[califlower]

RIP. I've been using ordered maps for other stuff :<