-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[NET-6741] make: Add target for updating dependencies across all modules #19785
[NET-6741] make: Add target for updating dependencies across all modules #19785
Conversation
After talking w/ Matt K., we think |
Update:
|
To enable more consistent and error-proof dependency management, add a Make target that will set a dependency version across all submodules that require it. Also runs `go mod tidy`. This first ensures the dependency addition is reverted if the module in question does not require it; it also ensures that any additional cleanup needed in `go.mod`/`go.sum` is applied.
c0704a6
to
6f0e24c
Compare
…les (#19785) make: Add target for updating dependencies across all modules To enable more consistent and error-proof dependency management, add a Make target that will set a dependency version across all submodules that require it. Also runs `go mod tidy`. This first ensures the dependency addition is reverted if the module in question does not require it; it also ensures that any additional cleanup needed in `go.mod`/`go.sum` is applied.
@zalimeni, a backport is missing for this PR [19785] for versions [1.15] please perform the backport manually and add the following snippet to your backport PR description:
|
5 similar comments
@zalimeni, a backport is missing for this PR [19785] for versions [1.15] please perform the backport manually and add the following snippet to your backport PR description:
|
@zalimeni, a backport is missing for this PR [19785] for versions [1.15] please perform the backport manually and add the following snippet to your backport PR description:
|
@zalimeni, a backport is missing for this PR [19785] for versions [1.15] please perform the backport manually and add the following snippet to your backport PR description:
|
@zalimeni, a backport is missing for this PR [19785] for versions [1.15] please perform the backport manually and add the following snippet to your backport PR description:
|
@zalimeni, a backport is missing for this PR [19785] for versions [1.15] please perform the backport manually and add the following snippet to your backport PR description:
|
To enable more consistent and error-proof dependency management, add a Make target that will set a dependency version across all submodules that require it.
Also runs
go mod tidy
. This first ensures the dependency addition is reverted if the module in question does not require it; it also ensures that any additional cleanup needed ingo.mod
/go.sum
is applied.Note on approach vs.
go.work
At one point, it seemed we could avoid executing
go get
per eachgo.mod
by instead moving to a versionedgo.work
and using workspace-based dependency management commands. Though there's still reasons to move togo.work
beyond this change, it probably won't work for bumping dependencies conveniently:go work sync
consolidates versions using MVS, so in practice, it seems we still need to use a visit-all approach to be able to blindly bump a given dependency only where it’s used.go work sync
simply enforces consistency across all go.mod files once any go.mod is updated (docs):Description
Simplify dependency management, particularly for addressing CVEs where a consistent minimum version is required.
Example run:
PR Checklist