Allow rules for indirect / transitive dependencies

OpenPeeDeeP / depguard

Go linter that checks if package imports are in a list of acceptable packages.

GNU General Public License v3.0

138 stars 15 forks source link

Allow rules for indirect / transitive dependencies #68

Open AlekSi opened 11 months ago

AlekSi commented 11 months ago

It would be nice to have a way to allow/deny indirect/transitive imports.

For example, let's say a have a package a imported by package b. Then I have package c that imports package b. And I have a rule that denies c to import a. Currently, the linter passes. I think there should be an option to fail in that case.

dixonwille commented 11 months ago

I am not sure on the best way to do that for this linter without significantly slowing this down. It looks at source files and reads the import statements from the AST. Though https://github.com/ryancurrah/gomodguard states it only works on direct dependencies as well. But given the go.sum file, it may be a better feature over there?

Open to suggestions though.

dixonwille commented 11 months ago

Of course that is only at the module level.

AlekSi commented 11 months ago

One (maybe stupid) option is to run go list -json ./... and parse the output, including Deps field. It also may be done only if at least one rule opted-in for the transitive check.

Another option is to use https://pkg.go.dev/golang.org/x/tools/go/packages