Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add error msg to set the dep into replaces #18

Merged
merged 1 commit into from
Jan 18, 2024
Merged

add error msg to set the dep into replaces #18

merged 1 commit into from
Jan 18, 2024

Conversation

hectorj2f
Copy link
Member

Whenever we set in deps a dependency that will get removed once go mod tidy runs, we need to return a proper error that indicates how to solve it. In this case, the way to solve requires to add it to the list of replaces.

@hectorj2f hectorj2f added the bug Something isn't working label Jan 17, 2024
@hectorj2f hectorj2f self-assigned this Jan 17, 2024
@hectorj2f hectorj2f requested a review from luhring January 17, 2024 17:58
@luhring
Copy link
Member

luhring commented Jan 17, 2024

I may be misunderstanding this, but is it possible that the reason go mod tidy removed it from go.mod is that the dependency is no longer needed at all (any version)?

If the goal is to resolve a vulnerability, and based on other updates, the project no longer has a need for a given Go module dependency, wouldn't it be bette not to add it to replaces?

@hectorj2f
Copy link
Member Author

@luhring Good question. Yes and no, this can happen in both scenarios, when you don't need a dep (what you mention) or when you really want a specific version of a dependency that is not vulnerable but other deps OR go-mod-tidy reverted that change.
For instance, I want a specific version of otel/grpctrace but go mod tidy does revert my change because other deps use another dependency, etc... If I really know that this dep is what I want, I need to add it to replaces (together with other deps otel, otel/sdk...) to instruct go mod tidy to stick with a certain version instead of another.

@hectorj2f hectorj2f force-pushed the handle_dep_not_in_gomod branch from 0675652 to 9720cc6 Compare January 18, 2024 06:19
@hectorj2f hectorj2f enabled auto-merge (squash) January 18, 2024 06:19
@hectorj2f hectorj2f force-pushed the handle_dep_not_in_gomod branch from 9720cc6 to 066599f Compare January 18, 2024 06:23
@hectorj2f hectorj2f merged commit 676636f into chainguard-dev:main Jan 18, 2024
5 checks passed
@hectorj2f hectorj2f deleted the handle_dep_not_in_gomod branch January 18, 2024 06:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rawlingsj rawlingsj rawlingsj approved these changes

@luhring luhring Awaiting requested review from luhring

Assignees

@hectorj2f hectorj2f

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hectorj2f @luhring @rawlingsj