Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: go get mysteriously (incorrectly?) downgrades a dependency for no reason I can find #60588

Closed
maxb opened this issue Jun 3, 2023 · 13 comments

Comments

@maxb
Copy link

maxb commented Jun 3, 2023

What version of Go are you using (go version)?

$ go version
go version go1.20.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN="/home/maxb/.local/bin"
GOCACHE="/home/maxb/.cache/go-build"
GOENV="/home/maxb/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/maxb/.cache/go-modules"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/maxb/.cache/go-path"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.4"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/maxb/code/vault/sdk/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build764324405=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ git clone https://github.com/hashicorp/vault
$ cd vault/sdk
$ git checkout 155003aa0cc054701096444b480bc7ab43d187b2     # Exact commit on 'main' at the time of writing
$ go get github.com/hashicorp/errwrap@v1.1.0

What did you expect to see?

No output and no changes caused by the go get command, as it is just re-stating an arbitrary existing module that is already present in go.mod already, at the version it is already present at.

What did you see instead?

go: downgraded github.com/google/tink/go v1.7.0 => v1.6.1

I am confused, I have no idea why Go is deciding to downgrade a seemingly unrelated module.

Considering the named module on the go get command line did not change version at all, it doesn't make sense to me that go get should be enforcing other up/downgrades.

Additionally, if I run:

$ go get github.com/google/tink/go@v1.7.0

to have go get undo the spurious change, then it does so:

go: upgraded github.com/google/tink/go v1.6.1 => v1.7.0

without making any other changes, thus showing there is not a pre-existing dependency conflict.

@Nasfame
Copy link
Contributor

Nasfame commented Jun 4, 2023

The go get command is used to add dependencies or update existing dependencies in a Go module. In this case, it seems that the go get command encountered a conflict between the requested version of github.com/hashicorp/errwrap (v1.1.0) and the existing version of github.com/google/tink/go (v1.7.0). As a result, it downgraded the github.com/google/tink/go module to resolve the conflict.

If you want to avoid such downgrades, you can specify the specific versions of the dependencies in your go.mod file to ensure that the desired versions are used. Alternatively, you can use Go modules' replace directive to override the dependency versions explicitly.

@seankhliao
Copy link
Member

resolved on tip.

@maxb
Copy link
Author

maxb commented Jun 5, 2023

Please re-open - not resolved.

As I said there is no conflict, because, as I said at the end of the initial message:

  • The requested version of github.com/hashicorp/errwrap (v1.1.0) is the version already in go.mod - I deliberately selected a no-change operation to showcase the inexplicable downgrade.

  • Explicitly re-upgrading github.com/google/tink/go back to the version before the downgrade, again using go get, succeeds without any conflicts.

@Nasfame
Copy link
Contributor

Nasfame commented Jun 5, 2023

@maxb

Here is a potential reason why go get downgraded

image

@maxb
Copy link
Author

maxb commented Jun 5, 2023

@Nasfame I don't see that message when I run that command! Have you any special settings in your environment to make it be displayed?

@maxb
Copy link
Author

maxb commented Jun 5, 2023

Um, actually, did you run that command exactly as it is shown in your screenshot? Because it's broken - it's missing a v before the version number, causing Go to return an entirely different error:

go: github.com/google/tink/go@1.7.0: invalid version: unknown revision 1.7.0

@Nasfame
Copy link
Contributor

Nasfame commented Jun 5, 2023

@maxb no i just followed the commands mentioned. I am using Github Codespaces by the way

@Nasfame
Copy link
Contributor

Nasfame commented Jun 5, 2023

I didn't make it up, yep i ran the same command in the screenshot

@maxb
Copy link
Author

maxb commented Jun 5, 2023

@Nasfame I suppose you're trying to help but so far you've convinced @seankhliao to close this issue based on a suggestion that doesn't help, and followed it up with a screenshot that can't be reproduced.

Could you get this issue reopened please?

@Nasfame
Copy link
Contributor

Nasfame commented Jun 5, 2023

@seankhliao kindly reopen this case

@seankhliao
Copy link
Member

As mentioned above, this was fixed on tip (current HEAD) of repo.
It wasn't closed based on the other comment.

@maxb
Copy link
Author

maxb commented Jun 5, 2023

Ah, thank you for clarifying.

Is there any more information available on what caused the unexpected downgrades?

@AlexanderYastrebov
Copy link
Contributor

I observed the same problem while updating https://github.com/AlexanderYastrebov/noleak that itself has no dependencies:

$ go version
go version go1.20.5 linux/amd64

$ go get github.com/AlexanderYastrebov/noleak@latest
go: downgraded ...
...

and I can confirm that tip does not downgrade but I could not figure out a specific fix commit from the git log.

AlexanderYastrebov added a commit to zalando/skipper that referenced this issue Jul 31, 2023
Used go version go1.21rc3 linux/amd64 to update dependencies because
go1.20.6 unexpectedly updates unrelated dependencies,
see golang/go#60588 (comment)

Closes #2465
Closes #2486

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
RomanZavodskikh pushed a commit to zalando/skipper that referenced this issue Jul 31, 2023
Used go version go1.21rc3 linux/amd64 to update dependencies because
go1.20.6 unexpectedly updates unrelated dependencies,
see golang/go#60588 (comment)

Closes #2465
Closes #2486

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants
@maxb @AlexanderYastrebov @seankhliao @Nasfame and others