Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vgo: missing dependendency in go.mod file #25371

ardan-bkennedy opened this issue May 13, 2018 · 4 comments

x/vgo: missing dependendency in go.mod file #25371

ardan-bkennedy opened this issue May 13, 2018 · 4 comments


Copy link

@ardan-bkennedy ardan-bkennedy commented May 13, 2018

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.10.2 darwin/amd64 vgo:2018-02-20.1

Does this issue reproduce with the latest release?


What operating system and processor architecture are you using (go env)?


What did you do?

If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on is best.

Using this project

I added an empty go.mod file at the root of the project.
I ran the vgo build command
Once that was done, the go.mod file contained the following


require ( v0.0.0-20180213074414-7f532489e773 v0.0.0-20180122190007-c65b2f87fee3 v0.8.0 v0.9.0 v8.18.2 v2.0.0-20160818020120-3f83fa500528

What did you expect to see?

There is a dependency in my vendor folder that is missing from the go.mod file that is being used.

I expected to see that in the go.mod file.

When I run the vgo list -m command I do see this in the list.

$ vgo list -m -u
MODULE                                            VERSION                             LATEST                      -                                   -                               v0.21.0 (2018-04-09 13:38)          v0.22.0 (2018-05-09 10:25)                           v0.0.0-20180321164747-3a771d992973  -                    v0.0.0-20180213074414-7f532489e773  -                        v1.0.0 (2018-01-25 13:43)           v1.1.0 (2018-04-30 11:52)                      v0.0.0-20170915024731-317e0006254c  v1.0.0 (2017-09-01 17:52)  v1.0.0 (2016-04-23 10:36)           -                   v0.1.0 (2018-02-27 02:13)           -                           v0.0.0-20180122190007-c65b2f87fee3  -                             v0.8.0 (2016-09-28 18:48)           -               v0.8.0 (2016-08-17 08:48)           v0.9.0-pre1 (2017-08-31 06:19)                v0.0.0-20171117100541-99fa1f4be8e5  -                      v0.0.0-20180413074202-d0f7cd64bda4  v0.0.0-20180426121432-d811d2e9bf89                      v0.0.0-20180408092902-8b1c2da0d56d  -                                  v0.9.0 (2018-04-30 11:08)           -                                  v0.0.0-20180406214816-61147c48b25b  v0.0.0-20180511174649-2491c5de3490                               v0.0.0-20180402223937-921ae394b943  v0.0.0-20180503012634-cdc340f7c179                                 v0.0.0-20180314180146-1d60e4601c6f  -                                 v0.3.0 (2017-12-14 05:08)           -                             v0.0.0-20180413000347-fca24fcb4112  v0.0.0-20180513000358-15aea8711db9                       v1.0.0 (2016-09-29 13:31)           -                        v0.0.0-20180409222037-51d0944304c3  v0.0.0-20180427144745-86e600f69ee4                            v1.11.3 (2018-04-09 13:31)          v1.12.0 (2018-05-08 14:01)               v8.18.2 (2017-07-29 22:02)          -                                   v2.0.0-20160818020120-3f83fa500528  -

What did you see instead?

I just expected all my vendored dependencies to show up in the go.mod file.

@bcmills bcmills changed the title Missing dependendency in go.mod file x/vgo: missing dependendency in go.mod file May 13, 2018
@gopherbot gopherbot added this to the vgo milestone May 13, 2018

This comment has been minimized.

Copy link

@oiooj oiooj commented May 14, 2018

This issue occured if your project and one of your imports have a common dep, and the version is also equal.

In your codebase, needs, and also needs will be written into go.mod, but will not be.


This comment has been minimized.

Copy link

@bcmills bcmills commented Jun 15, 2018

As @oiooj notes, the go.mod file only contains requirements that are not implied transitively.
(Also recall that vgo build ignores the vendor/ directory in general.)

You should find that vgo vendor still copies the appropriate version into your vendor/ directory.

We certainly do need to work on some concise documentation for these sorts of properties, but I think that's a separate matter from this issue itself. Please feel free to reopen if you disagree.

@bcmills bcmills closed this Jun 15, 2018

This comment has been minimized.

Copy link

@rsc rsc commented Jun 27, 2018

Actually, @bcmills realized that the build list algorithm assumes that direct dependencies are listed explicitly in go.mod, so we'll start doing that, even when the result is not minimal. Will send a CL probably tomorrow.

@rsc rsc reopened this Jun 27, 2018

This comment has been minimized.

Copy link

@gopherbot gopherbot commented Jun 28, 2018

Change mentions this issue: cmd/go/internal/vgo: track directly-used vs indirectly-used modules

@rsc rsc closed this Jul 3, 2018
gopherbot pushed a commit to golang/vgo that referenced this issue Jul 10, 2018
A cleanup pass in mvs.BuildList discards modules that are not reachable
in the requirement graph as satisfied for this build. For example, suppose:

	A -> B1, C1
	B1 -> D1
	B2 -> nothing
	C1 -> nothing
	D1 -> nothing
	D2 -> nothing

The effective build list is A, B1, C1, D1 (no cleanup possible).

Suppose that we update from B1 to B2. The effective build list
becomes A, B2, C1, D1, and since there is no path through those
module versions from A to D, the cleanup pass drops D.

This cleanup, which is not in,
aims to avoid user confusion by not listing irrelevant modules in
the output of commands like "vgo list -m all".

Unfortunately, the cleanup is not sound in general, because
there is no guarantee all of A's needs are listed as direct requirements.
For example, maybe A imports D. In that case, dropping D and then
building A will re-add the latest version of D (D2 instead of D1).
The most common time this happens is after an upgrade.

The fix is to make sure that go.mod does list all of the modules
required directly by A, and to make sure that the go.mod
minimizer (Algorithm R in the blog post) does not remove
direct requirements in the name of simplifying go.mod.

The way this is done is to annotate the requirements NOT used
directly by A with a known comment, "// indirect".

For example suppose A imports Then the go.mod
looks like it always has:

	module m

	require v1.5.2

But now suppose we upgrade our packages to their latest versions.
Then go.mod becomes:

	module m

	require (
 v0.3.0 // indirect
 v1.99.99 // indirect

The "// indirect" comments indicate that this requirement is used
only to upgrade something needed outside module m, not to satisfy
any packages in module m itself.

Vgo adds and removes these comments automatically.
If we add a direct import of to some package in m,
then the first time we build that package vgo strips the "// indirect"
on the requirement line. If we then remove that
package, the requirement remains listed as direct (the conservative
choice) until the next "vgo mod -sync", which considers all packages
in m and can mark the requirement indirect again.
Algorithm R is modified to be given a set of import paths that must
be preserved in the final output (all the ones not marked // indirect).

Maintenance of this extra information makes the cleanup pass safe.

Seeing all directly-imported modules in go.mod
and distinguishing between directly- and indirectly-imported modules in go.mod
are two of the most commonly-requested features,
so it's extra nice that the fix for the cleanup-induced bug
makes go.mod closer to what users expect.

Fixes golang/go#24042.
Fixes golang/go#25371.
Fixes golang/go#25969.

Change-Id: I4ed0729b867723fe90e836c2325f740b55b2b27b
Reviewed-by: Bryan C. Mills <>
@golang golang locked and limited conversation to collaborators Jul 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.