Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to lock version for indirect dependency #1326

Closed
lujiajing1126 opened this issue Dec 2, 2020 · 2 comments · Fixed by #1327
Closed

Unable to lock version for indirect dependency #1326

lujiajing1126 opened this issue Dec 2, 2020 · 2 comments · Fixed by #1327
Labels
needs-triage New issues, in need of classification

Comments

@lujiajing1126
Copy link
Contributor

lujiajing1126 commented Dec 2, 2020
edited
Loading

As we have discussed in PR #1319, I tried to run go mod tidy on the master branch and the indirect version of github.com/miekg/[email protected] went away. This dependency is introduced in #1298 intended to fix a CVE issue.

I suppose as per golang/go#40784 (comment), it is not possible to lock/pin an indirect dependency. So we have to be very careful with this indirect dep.

Just a comment. I am not sure what we can do now. Maybe add a git-hook to ensure? @jpkrohling
@github-actions github-actions bot added the needs-triage New issues, in need of classification label Dec 2, 2020
@jpkrohling
Copy link
Contributor

Should it be part of the replaces section? I'm not quite sure what's the recommended approach for Go modules...

@lujiajing1126
Copy link
Contributor Author

Should it be part of the replaces section? I'm not quite sure what's the recommended approach for Go modules...

According to the official spec, I suppose it can be done with replace. https://github.com/golang/go/wiki/Modules#when-should-i-use-the-replace-directive

@lujiajing1126 lujiajing1126 mentioned this issue Dec 2, 2020
Merged
@mergify mergify bot closed this as completed in #1327 Dec 2, 2020
mergify bot pushed a commit that referenced this issue Dec 2, 2020
@lujiajing1126
Fix unstable mod tidy (#1327)
3160523 
Fix #1326 

Signed-off-by: Megrez Lu <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage New issues, in need of classification
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix unstable mod tidy
2 participants
@jpkrohling @lujiajing1126