From f9c1b86feb36b530f7eab78e18e9a49decc87861 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 23 Apr 2021 18:34:53 +0200 Subject: [PATCH] go.mod: add replace rule to prevent unwanted updateds of grpc and jwt-go This replace rule is to prevent unwanted updates of grpc and jwt-go. When updating spf13/cobra, we noticed that google.golang.org/grpc got updated. Doing a search to find which modules (note here that `go mod graph` only looks at dependencies from a `go modules` perspective, and not all the (current version) of our dependencies use go modules). And I found that the only _modules_ depending on it are `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`: ```bash $ go mod graph | grep ' google.golang.org/grpc' github.com/spf13/viper@v1.4.0 google.golang.org/grpc@v1.21.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0 google.golang.org/grpc@v1.19.0 ``` Of those, `github.com/grpc-ecosystem/grpc-gateway` is a dependency of `github.com/spf13/viper`: ```bash $ go mod graph | grep ' github.com/grpc-ecosystem/grpc-gateway' github.com/spf13/viper@v1.4.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0 ``` So looking at that one, it's a dependency of cobra: ```bash $ go mod graph | grep ' github.com/spf13/viper@v1.4.0' github.com/spf13/cobra@v1.0.0 github.com/spf13/viper@v1.4.0 ``` Ironically, while both `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`, depend on `google.golang.org/grpc` and (through their `go.mod`) are responsible for `go mod` to update the dependency version of grpc, none of them are used: ```bash cat vendor/modules.txt | grep github.com/spf13/viper cat vendor/modules.txt | grep github.com/grpc-ecosystem/grpc-gateway ``` Unfortunately, `go modules` looks at `go.mod` to determine the *minimum version* required; _even if the parts of the modules specifying it in the `go.mod` are unused_. This patch adds a `replace` rule in go.mod to prevent updating grpc based on other dependencies that _declare_ `google.golang.org/grpc` as a dependency, but are not used and, hence, should not influence the minumum version. Signed-off-by: Sebastiaan van Stijn --- go.mod | 13 +++++++++++++ vendor/modules.txt | 3 ++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 18b0acab3..800a02734 100644 --- a/go.mod +++ b/go.mod @@ -38,8 +38,21 @@ require ( golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff + // when updating google.golang.org/cloud, update (or remove) the replace + // rule for google.golang.org/grpc accordingly. google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8 google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a // indirect gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789 gopkg.in/yaml.v2 v2.4.0 ) + +// Prevent unwanted updates of grpc. In our codebase, it's a dependency of +// google.golang.org/cloud. However, github.com/spf13/viper (which is an indirect +// dependency of github.com/spf13/cobra) declares a more recent version. Viper +// is not used in the codebase, but go modules uses the go.mod of *all* dependen- +// cies to determine the minimum version of a module, but does *not* check if that +// depdendency's code using the dependency is actually used. +// +// In our case, github.com/spf13/viper occurs as a dependency, but is unused, +// so we can ignore the minimum versions of grpc and jwt-go that it specifies. +replace google.golang.org/grpc => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a diff --git a/vendor/modules.txt b/vendor/modules.txt index 3ad968345..c02ce1255 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -238,7 +238,7 @@ google.golang.org/cloud google.golang.org/cloud/internal google.golang.org/cloud/internal/opts google.golang.org/cloud/storage -# google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a +# google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a ## explicit google.golang.org/grpc google.golang.org/grpc/codes @@ -255,3 +255,4 @@ gopkg.in/check.v1 # gopkg.in/yaml.v2 v2.4.0 ## explicit gopkg.in/yaml.v2 +# google.golang.org/grpc => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a