go.mod: add replace rule to prevent unwanted updateds of grpc and jwt-go
This replace rule is to prevent unwanted updates of grpc and jwt-go. When updating spf13/cobra, we noticed that google.golang.org/grpc got updated. Doing a search to find which modules (note here that `go mod graph` only looks at dependencies from a `go modules` perspective, and not all the (current version) of our dependencies use go modules). And I found that the only _modules_ depending on it are `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`: ```bash $ go mod graph | grep ' google.golang.org/grpc' github.com/spf13/viper@v1.4.0 google.golang.org/grpc@v1.21.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0 google.golang.org/grpc@v1.19.0 ``` Of those, `github.com/grpc-ecosystem/grpc-gateway` is a dependency of `github.com/spf13/viper`: ```bash $ go mod graph | grep ' github.com/grpc-ecosystem/grpc-gateway' github.com/spf13/viper@v1.4.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0 ``` So looking at that one, it's a dependency of cobra: ```bash $ go mod graph | grep ' github.com/spf13/viper@v1.4.0' github.com/spf13/cobra@v1.0.0 github.com/spf13/viper@v1.4.0 ``` Ironically, while both `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`, depend on `google.golang.org/grpc` and (through their `go.mod`) are responsible for `go mod` to update the dependency version of grpc, none of them are used: ```bash cat vendor/modules.txt | grep github.com/spf13/viper cat vendor/modules.txt | grep github.com/grpc-ecosystem/grpc-gateway ``` Unfortunately, `go modules` looks at `go.mod` to determine the *minimum version* required; _even if the parts of the modules specifying it in the `go.mod` are unused_. This patch adds a `replace` rule in go.mod to prevent updating grpc based on other dependencies that _declare_ `google.golang.org/grpc` as a dependency, but are not used and, hence, should not influence the minumum version. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
02e2231e60
commit
f9c1b86feb
2 changed files with 15 additions and 1 deletions
13
go.mod
13
go.mod
|
@ -38,8 +38,21 @@ require (
|
|||
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
|
||||
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
|
||||
google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff
|
||||
// when updating google.golang.org/cloud, update (or remove) the replace
|
||||
// rule for google.golang.org/grpc accordingly.
|
||||
google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8
|
||||
google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a // indirect
|
||||
gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789
|
||||
gopkg.in/yaml.v2 v2.4.0
|
||||
)
|
||||
|
||||
// Prevent unwanted updates of grpc. In our codebase, it's a dependency of
|
||||
// google.golang.org/cloud. However, github.com/spf13/viper (which is an indirect
|
||||
// dependency of github.com/spf13/cobra) declares a more recent version. Viper
|
||||
// is not used in the codebase, but go modules uses the go.mod of *all* dependen-
|
||||
// cies to determine the minimum version of a module, but does *not* check if that
|
||||
// depdendency's code using the dependency is actually used.
|
||||
//
|
||||
// In our case, github.com/spf13/viper occurs as a dependency, but is unused,
|
||||
// so we can ignore the minimum versions of grpc and jwt-go that it specifies.
|
||||
replace google.golang.org/grpc => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a
|
||||
|
|
3
vendor/modules.txt
vendored
3
vendor/modules.txt
vendored
|
@ -238,7 +238,7 @@ google.golang.org/cloud
|
|||
google.golang.org/cloud/internal
|
||||
google.golang.org/cloud/internal/opts
|
||||
google.golang.org/cloud/storage
|
||||
# google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a
|
||||
# google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a
|
||||
## explicit
|
||||
google.golang.org/grpc
|
||||
google.golang.org/grpc/codes
|
||||
|
@ -255,3 +255,4 @@ gopkg.in/check.v1
|
|||
# gopkg.in/yaml.v2 v2.4.0
|
||||
## explicit
|
||||
gopkg.in/yaml.v2
|
||||
# google.golang.org/grpc => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a
|
||||
|
|
Loading…
Reference in a new issue