distribution/go.mod

module github.com/distribution/distribution/v3

go 1.16

require (
	github.com/Azure/azure-sdk-for-go v56.3.0+incompatible
	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d
	github.com/aws/aws-sdk-go v1.42.27
	github.com/bitly/go-simplejson v0.5.0 // indirect
	github.com/bshuster-repo/logrus-logstash-hook v1.0.0
	github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd
	github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect
	github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 // indirect
	github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba
	github.com/dnaeon/go-vcr v1.0.1 // indirect
	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c
	github.com/docker/go-metrics v0.0.1
	github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1
	github.com/gofrs/uuid v4.0.0+incompatible // indirect
	github.com/gomodule/redigo v1.8.2
	github.com/gorilla/handlers v1.5.1
	github.com/gorilla/mux v1.8.0
	github.com/mitchellh/mapstructure v1.1.2
	github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f // indirect
	github.com/ncw/swift v1.0.47
	github.com/opencontainers/go-digest v1.0.0
	github.com/opencontainers/image-spec v1.0.2
	github.com/sirupsen/logrus v1.8.1
	github.com/spf13/cobra v1.0.0
	github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect
	github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50
	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
	google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff
	// when updating google.golang.org/cloud, update (or remove) the replace
	// rule for google.golang.org/grpc accordingly.
	google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8
	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127
	gopkg.in/yaml.v2 v2.4.0
)

// Prevent unwanted updates of grpc. In our codebase, it's a dependency of
// google.golang.org/cloud. However, github.com/spf13/viper (which is an indirect
// dependency of github.com/spf13/cobra) declares a more recent version. Viper
// is not used in the codebase, but go modules uses the go.mod of *all* dependen-
// cies to determine the minimum version of a module, but does *not* check if that
// depdendency's code using the dependency is actually used.
//
// In our case, github.com/spf13/viper occurs as a dependency, but is unused,
// so we can ignore the minimum versions of grpc and jwt-go that it specifies.
replace google.golang.org/grpc => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a
go.mod: change imports to github.com/distribution/distribution/v3 Go 1.13 and up enforce import paths to be versioned if a project contains a go.mod and has released v2 or up. The current v2.x branches (and releases) do not yet have a go.mod, and therefore are still allowed to be imported with a non-versioned import path (go modules add a `+incompatible` annotation in that case). However, now that this project has a `go.mod` file, incompatible import paths will not be accepted by go modules, and attempting to use code from this repository will fail. This patch uses `v3` for the import-paths (not `v2`), because changing import paths itself is a breaking change, which means that the next release should increment the "major" version to comply with SemVer (as go modules dictate). Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-24 11:18:39 +00:00			`module github.com/distribution/distribution/v3`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00
bump up golang v1.17 Signed-off-by: Wang Yan <wangyan@vmware.com> 2021-07-06 03:43:13 +00:00			`go 1.16`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00
			`require (`
chore: update azure go-autorest dependencies Signed-off-by: David Justice <david@devigned.com> 2020-04-01 15:47:41 +00:00			`github.com/Azure/azure-sdk-for-go v56.3.0+incompatible`
go.mod: github.com/Azure/go-autorest/autorest v0.11.24 Update the indirect dependency to remove the transitional github.com/form3tech-oss/jwt-go dependency from the dependency graph. Updates: - github.com/Azure/go-autorest/autorest v0.11.24: https://github.com/Azure/go-autorest/compare/autorest/v0.11.20...autorest/v0.11.24 - github.com/Azure/go-autorest/autorest/adal v0.9.18: https://github.com/Azure/go-autorest/compare/autorest/adal/v0.9.15...autorest/adal/v0.9.18 - github.com/golang-jwt/jwt v4.2.0: https://github.com/golang-jwt/jwt/compare/v4.0.0...v4.2.0 - golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3: https://github.com/golang/crypto/compare/32db794688a5...e495a2d5b3d3 Before this: go mod graph \| grep 'jwt' github.com/Azure/go-autorest/autorest/adal@v0.9.15 github.com/golang-jwt/jwt/v4@v4.0.0 github.com/Azure/go-autorest/autorest/adal@v0.9.13 github.com/form3tech-oss/jwt-go@v3.2.2+incompatible After this: go mod graph \| grep 'jwt' github.com/Azure/go-autorest/autorest@v0.11.24 github.com/golang-jwt/jwt/v4@v4.2.0 github.com/Azure/go-autorest/autorest/adal@v0.9.18 github.com/golang-jwt/jwt/v4@v4.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-01-24 10:30:22 +00:00			`github.com/Azure/go-autorest/autorest v0.11.24 // indirect`
chore: update azure go-autorest dependencies Signed-off-by: David Justice <david@devigned.com> 2020-04-01 15:47:41 +00:00			`github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d`
Update aws-sdk to 1.42.27 Upgrade the aws golang SDK to 1.42.27 to add the new options for configuring S3 dualstack endpoints. Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com> 2022-01-04 22:09:44 +00:00			`github.com/aws/aws-sdk-go v1.42.27`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`github.com/bitly/go-simplejson v0.5.0 // indirect`
Bump Logstash hook for logrus to `v1.0.0`. Signed-off-by: olegburov <oleg.burov@outlook.com> 2020-09-01 00:26:57 +00:00			`github.com/bshuster-repo/logrus-logstash-hook v1.0.0`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd`
			`github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect`
			`github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 // indirect`
			`github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba`
			`github.com/dnaeon/go-vcr v1.0.1 // indirect`
Use go-events package TBD: Queue not converted yet Signed-off-by: Elliot Pahl <elliot.pahl@gmail.com> 2018-03-14 00:08:11 +00:00			`github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c`
vendor: update docker/go-metrics v0.0.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-01-08 17:27:59 +00:00			`github.com/docker/go-metrics v0.0.1`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1`
chore: update azure go-autorest dependencies Signed-off-by: David Justice <david@devigned.com> 2020-04-01 15:47:41 +00:00			`github.com/gofrs/uuid v4.0.0+incompatible // indirect`
Bump Redigo to `v1.8.2`. Signed-off-by: olegburov <oleg.burov@outlook.com> 2020-09-01 00:15:02 +00:00			`github.com/gomodule/redigo v1.8.2`
Bump Gorilla Handlers to `v1.5.1`. Signed-off-by: olegburov <oleg.burov@outlook.com> 2020-09-01 03:48:55 +00:00			`github.com/gorilla/handlers v1.5.1`
Bump Gorilla Mux to `v1.8.0`. Signed-off-by: olegburov <oleg.burov@outlook.com> 2020-08-27 18:09:06 +00:00			`github.com/gorilla/mux v1.8.0`
update the golang compiler version and the versions of several dependencies Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-20 05:39:19 +00:00			`github.com/mitchellh/mapstructure v1.1.2`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f // indirect`
update the golang compiler version and the versions of several dependencies Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-20 05:39:19 +00:00			`github.com/ncw/swift v1.0.47`
vendor: opencontainers/go-digest v1.0.0 full diff: https://github.com/opencontainers/go-digest/compare/v1.0.0-rc1...v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-24 16:45:46 +00:00			`github.com/opencontainers/go-digest v1.0.0`
go.mod: github.com/opencontainers/image-spec v1.0.2 - Bring mediaType out of reserved status - specs-go: adding mediaType to the index and manifest structures full diff: https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-11-17 21:23:15 +00:00			`github.com/opencontainers/image-spec v1.0.2`
go.mod: update logrus to v1.8.1 Newer versions contain fixes for recent Go versions, and this removes the dependency on github.com/konsorten/go-windows-terminal-sequences Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-04-22 12:36:56 +00:00			`github.com/sirupsen/logrus v1.8.1`
go.mod: spf13/cobra v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-26 09:24:43 +00:00			`github.com/spf13/cobra v1.0.0`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect`
			`github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50`
			`github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect`
go.mod: github.com/Azure/go-autorest/autorest v0.11.24 Update the indirect dependency to remove the transitional github.com/form3tech-oss/jwt-go dependency from the dependency graph. Updates: - github.com/Azure/go-autorest/autorest v0.11.24: https://github.com/Azure/go-autorest/compare/autorest/v0.11.20...autorest/v0.11.24 - github.com/Azure/go-autorest/autorest/adal v0.9.18: https://github.com/Azure/go-autorest/compare/autorest/adal/v0.9.15...autorest/adal/v0.9.18 - github.com/golang-jwt/jwt v4.2.0: https://github.com/golang-jwt/jwt/compare/v4.0.0...v4.2.0 - golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3: https://github.com/golang/crypto/compare/32db794688a5...e495a2d5b3d3 Before this: go mod graph \| grep 'jwt' github.com/Azure/go-autorest/autorest/adal@v0.9.15 github.com/golang-jwt/jwt/v4@v4.0.0 github.com/Azure/go-autorest/autorest/adal@v0.9.13 github.com/form3tech-oss/jwt-go@v3.2.2+incompatible After this: go mod graph \| grep 'jwt' github.com/Azure/go-autorest/autorest@v0.11.24 github.com/golang-jwt/jwt/v4@v4.2.0 github.com/Azure/go-autorest/autorest/adal@v0.9.18 github.com/golang-jwt/jwt/v4@v4.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2022-01-24 10:30:22 +00:00			`golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3`
update the golang compiler version and the versions of several dependencies Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-20 05:39:19 +00:00			`golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff`
go.mod: add replace rule to prevent unwanted updateds of grpc and jwt-go This replace rule is to prevent unwanted updates of grpc and jwt-go. When updating spf13/cobra, we noticed that google.golang.org/grpc got updated. Doing a search to find which modules (note here that `go mod graph` only looks at dependencies from a `go modules` perspective, and not all the (current version) of our dependencies use go modules). And I found that the only _modules_ depending on it are `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`: ```bash $ go mod graph \| grep ' google.golang.org/grpc' github.com/spf13/viper@v1.4.0 google.golang.org/grpc@v1.21.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0 google.golang.org/grpc@v1.19.0 ``` Of those, `github.com/grpc-ecosystem/grpc-gateway` is a dependency of `github.com/spf13/viper`: ```bash $ go mod graph \| grep ' github.com/grpc-ecosystem/grpc-gateway' github.com/spf13/viper@v1.4.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0 ``` So looking at that one, it's a dependency of cobra: ```bash $ go mod graph \| grep ' github.com/spf13/viper@v1.4.0' github.com/spf13/cobra@v1.0.0 github.com/spf13/viper@v1.4.0 ``` Ironically, while both `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`, depend on `google.golang.org/grpc` and (through their `go.mod`) are responsible for `go mod` to update the dependency version of grpc, none of them are used: ```bash cat vendor/modules.txt \| grep github.com/spf13/viper cat vendor/modules.txt \| grep github.com/grpc-ecosystem/grpc-gateway ``` Unfortunately, `go modules` looks at `go.mod` to determine the minimum version required; _even if the parts of the modules specifying it in the `go.mod` are unused_. This patch adds a `replace` rule in go.mod to prevent updating grpc based on other dependencies that _declare_ `google.golang.org/grpc` as a dependency, but are not used and, hence, should not influence the minumum version. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-04-23 16:34:53 +00:00			`// when updating google.golang.org/cloud, update (or remove) the replace`
			`// rule for google.golang.org/grpc accordingly.`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8`
go.mod: spf13/cobra v1.0.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2020-08-26 09:24:43 +00:00			`gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127`
go.mod: gopkg.in/yaml.v2 v2.4.0 This updates the package to a version to include the security fixes in v2.2.3. Version 2.3.0 was known introduce a breaking change for some users, so using the latest (v2.4.0) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-04-22 12:31:11 +00:00			`gopkg.in/yaml.v2 v2.4.0`
migrate to go modules from vndr Signed-off-by: Tariq Ibrahim <tariq181290@gmail.com> 2019-06-05 22:40:29 +00:00			`)`
go.mod: add replace rule to prevent unwanted updateds of grpc and jwt-go This replace rule is to prevent unwanted updates of grpc and jwt-go. When updating spf13/cobra, we noticed that google.golang.org/grpc got updated. Doing a search to find which modules (note here that `go mod graph` only looks at dependencies from a `go modules` perspective, and not all the (current version) of our dependencies use go modules). And I found that the only _modules_ depending on it are `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`: ```bash $ go mod graph \| grep ' google.golang.org/grpc' github.com/spf13/viper@v1.4.0 google.golang.org/grpc@v1.21.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0 google.golang.org/grpc@v1.19.0 ``` Of those, `github.com/grpc-ecosystem/grpc-gateway` is a dependency of `github.com/spf13/viper`: ```bash $ go mod graph \| grep ' github.com/grpc-ecosystem/grpc-gateway' github.com/spf13/viper@v1.4.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0 ``` So looking at that one, it's a dependency of cobra: ```bash $ go mod graph \| grep ' github.com/spf13/viper@v1.4.0' github.com/spf13/cobra@v1.0.0 github.com/spf13/viper@v1.4.0 ``` Ironically, while both `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`, depend on `google.golang.org/grpc` and (through their `go.mod`) are responsible for `go mod` to update the dependency version of grpc, none of them are used: ```bash cat vendor/modules.txt \| grep github.com/spf13/viper cat vendor/modules.txt \| grep github.com/grpc-ecosystem/grpc-gateway ``` Unfortunately, `go modules` looks at `go.mod` to determine the minimum version required; _even if the parts of the modules specifying it in the `go.mod` are unused_. This patch adds a `replace` rule in go.mod to prevent updating grpc based on other dependencies that _declare_ `google.golang.org/grpc` as a dependency, but are not used and, hence, should not influence the minumum version. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 2021-04-23 16:34:53 +00:00
			`// Prevent unwanted updates of grpc. In our codebase, it's a dependency of`
			`// google.golang.org/cloud. However, github.com/spf13/viper (which is an indirect`
			`// dependency of github.com/spf13/cobra) declares a more recent version. Viper`
			`// is not used in the codebase, but go modules uses the go.mod of all dependen-`
			`// cies to determine the minimum version of a module, but does not check if that`
			`// depdendency's code using the dependency is actually used.`
			`//`
			`// In our case, github.com/spf13/viper occurs as a dependency, but is unused,`
			`// so we can ignore the minimum versions of grpc and jwt-go that it specifies.`
			`replace google.golang.org/grpc => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a`