New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lockfile maintenance for go.mod files #9578
Comments
Looks like you referring to https://docs.renovatebot.com/configuration-options/#lockfilemaintenance Which is currently not supported for gomod |
In other package managers we delete the lock file and then run an install command to repopulate it from scratch. Go instead uses a checksum file but importantly its MVS algorithm should mean you don't get a change to transitive dependencies just because newer versions are released. |
@rarkins What should we do if we want Renovate to bump indirect dependencies? Scenario:
Right now, renovate will never open a PR to get B up to date, so we keep building in the insecure version of B. |
This is not possible due to Go's Minimum Version Selection concept. Transitive dependencies can't be "bumped" until at least one package depending on it increases its minimum version. In your scenario A must update its go.mod to bump minimum version of B |
That is not correct. You can bump the version of a transitive dependency the same as if it was a direct dependency. |
Please provide more details and a reproduction repository demonstrating it so we can take a look |
This is 4y old but implies that there's a way to manually bump transitive dependencies using go: golang/go#24500 (comment) PRs would be welcome if someone can achieve this in Renovate |
Hi there, Help us by making a minimal reproduction repository. Before we can start work on your issue we first need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. To get started, please read our guide on creating a minimal reproduction to understand what is needed. We may close the issue if you (or someone else) have not provided a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment. Good luck, The Renovate team |
Needs a reproduction repo (with out of date transitive deps) plus confirmation of exactly which commands to run |
You bump it exactly the same way you bump a direct dependency. |
With main at eriksw/renovate-transitive-bump@4608150 the onboarding message says:
This is incorrect. If you run
|
Not really. This statement refers to direct dependencies, which evidently are up to date. It's really just meant to say "you have no PRs", and is particularly relevant to this discussion. If/when lock file maintenance is supported by Renovate then it would list single "lock file maintenance" PR in that list instead of saying it's empty. No Renovate manager today raises individual PRs per transitive dependency, and we don't plan to add that because the volume of PRs would be unsustainable in most cases. What this feature (#9578) would do is add Go Modules to this capability: https://docs.renovatebot.com/configuration-options/#lockfilemaintenance |
Reproduction forked to https://github.com/renovate-reproductions/9578 |
One important point: does |
That's an unfortunate position because in the scenario in #9578 (comment) that is exactly what is needed.
There isn't a "lock file maintenancer" command because go does not have a lock file, at least, not in the sense of package managers that use range constraints instead of MVS, owing to there being no way to express a maximum version or an exact version. From the perspective of It's worth being aware that the |
But in that case you have misunderstood and hijacked this feature request for a different requirement. This feature request is for "lock file maintenance", which is a Renovate term with a specific meaning.
As I said above, we invented the term lock file maintenance and so it can mean whatever we want it to. I understand Go doesn't have a lock file per se, but go.mod/go.sum work together to achieve effectively the same thing (deterministic installs). Lock file maintenance is intended to mean "keep all direct dependency constraints unchanged, while updating the resolved versions to their highest compatible versions". In other managers this normally means keeping the "package file" (e.g.
Yes, and that lack of difference is precisely the problem. For a user, there is a significance difference between a direct and indirect dependency, regardless of which language it is. In general, they don't want to care about their indirect dependencies if they can avoid it.
Same comment as above. Developers care about direct dependencies, and ideally indirect dependencies would "just work". Renovate already creates plenty of "noise" by updating direct dependencies. We don't want to overwhelm people by making them think about every single indirect dependency. Russ's comment in the linked discussion applies equally well here:
I think the same thing applies for Renovate. If some deeply nested transitive dependency has a new version, why should you care, other than the edge case that it's fixing a vulnerability. In summary, your desire to "surgically" update a specific transitive dependency only in the case of vulnerabilities is reasonable, but it's not "lock file maintenance". Please create a separate feature request so we can narrow those requirements there, ideally with a vulnerable reproduction. |
Regarding the lock file maintenance feature for |
Would be very nice if renovate could regularly
go mod tidy
to keep the sum files clean.Did you already have any implementation ideas?
Please correct me if I'm wrong. The idea behind the lockfileMaintenance is to update transitive dependencies only and to keep direct deps untouched right? If this is the case, then it should be pretty straightforward to implement.
If we pass the list of direct deps to go get like below, then it will keep them untouched and only update indirect dependencies.
go get -u -d <direct-deps>
sample
Given we have the following module
then
go get -u -d github.com/PaesslerAG/jsonpath@v0.1.1
would result inHow to implement?
go get -u -d <dep1>@<dep1_version> <dep2>@<dep2_version> ...
go mod tidy
if activatedThe text was updated successfully, but these errors were encountered: