feature request: Capability diff between two versions of a given Go module/package.

[mewmew]

First off, really happy to see the birth of the capslock tool as having a way to track capabilities used by transitive dependencies is key to mitigating supply-chain attacks.

One feature that would be really incredible to incorporate in capslock and associated tools is to easily diff the capabilities added/removed in between two versions of a given Go module/package.

And furthermore, make it possible to hook this functionality up to go get -u.

Imagine being able to run go get -u ./... to update packages of a Go module and having warnings be emitted for newly added capabilities of transitive dependencies.

E.g.

$ go get -u github.com/org/repo/pkg
WARNING: new capability added to `github.com/org/repo/pkg` (os/exec). Added in version 2023-09-26-githash.

Of course, neither go get nor capslock need to perform the capability diff itself, it could be a third glue tool that reads the versions (of updated dependencies) from go get -u and the json output of capabilities of capslock and prints warnings for newly added capabilities.

Once more, thanks for working to improve this space and help regain confidence in the capabilities utilized by dependencies in the open source community.

With cheerful regards,
Robin

[jcd2]

Thanks! Having smooth workflows for just this kind of use-case is definitely something we're working on.

[mewmew]

Thanks! Having smooth workflows for just this kind of use-case is definitely something we're working on.

Hi John,

That's wonderful to hear!

Really glad to see such an active effort towards mitigating potential supply chain attacks. It's vital for the health of the Go open source ecosystem.

With kindness,
Robin

[rata]

Hi! I'm interested on this too. Is there any WIP code for this feature available?