Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
proposal: cmd/go: make go.mod exclude directives deterministic #36465
The "next" higher version depends on the list of available versions and may change over time. When the
This behavior also makes the build non-deterministic. Since the "next" version may change, the build list may vary depending on when the build was run and which proxy was used. A malicious proxy may selectively show and hide versions, but if the checksum database is being used, a proxy can't introduce a version that wasn't created by the module author without being detected.
If an excluded version is required in the main module's
In this example,
This appears to be the root cause of #36453.
Together, these changes prevent the
In the above example, the
I think (2) is important.
As an alternative to (1), we could instead ignore the excluded requirement entirely. (If we know that the main module already has a dependency on a higher version anyway, then replacing the lower version with the higher one has the same effect as dropping the lower one entirely.)
That would drop the excluded edges from