Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/exp/cmd/gorelease: report requirements on retracted module versions #37781

Open
jayconrod opened this issue Mar 10, 2020 · 5 comments
Open

x/exp/cmd/gorelease: report requirements on retracted module versions #37781

jayconrod opened this issue Mar 10, 2020 · 5 comments

Comments

@jayconrod
Copy link
Contributor

@jayconrod jayconrod commented Mar 10, 2020

A mechanism for retracting module versions is described in #24031, specifically in this comment.

gorelease should report an error if the module requires a retracted module version directly or transitively. This will help module authors avoid depending on retracted versions.

@jadekler
Copy link
Member

@jadekler jadekler commented Oct 14, 2020

Impl note: go list -m -u, go list -retracted, and go get will note whether a dependency is retracted.

Impl note: definitely should report direct dependencies, maybe transitive.

@jayconrod jayconrod modified the milestones: Unreleased, gorelease Oct 14, 2020
@jayconrod
Copy link
Contributor Author

@jayconrod jayconrod commented Oct 14, 2020

In particular, the command below will list retracted dependencies in a machine-readable format.

go list -m -retracted -f '{{with .Retracted}}{{.Path}}@{{.Version}}{{end}}' all
@myitcv
Copy link
Member

@myitcv myitcv commented Nov 8, 2020

Arrived here on the back of trying out module retractions

Impl note: definitely should report direct dependencies, maybe transitive.

I would say definitely should report transitive deps. After all, a module is marked as retracted for at least the following reasons:

  • A severe security vulnerability has been identified.
  • A severe incompatibility or bug was discovered.
  • The version was published accidentally or prematurely. (#34189)

(quoting #24031 (comment))

I would suggest this is a fairly important feature to land "soon". Reason being, gorelease will then become the go-to tool for people running CI checks on their modules (which is a good place to be).

@jadekler
Copy link
Member

@jadekler jadekler commented Apr 15, 2021

@gopherbot
Copy link

@gopherbot gopherbot commented Apr 15, 2021

Change https://golang.org/cl/310370 mentions this issue: cmd/gorelease: report a diagnostic error for retracted dependencies

@jadekler jadekler self-assigned this Apr 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants