search

canonical / serial-vault

18 stars 26 forks source link

Potential collision and risk from indirect dependence "github.com/godbus/dbus" #295

Open KateGo520 opened 4 years ago

KateGo520 commented 4 years ago

Dependency line:

github.com/CanonicalLtd/serial-vault --> github.com/snapcore/snapd --> github.com/godbus/dbus --> github.com/dancannon/gorethink

github.com/snapcore/snapd 16631e2 --> github.com/godbus/dbus 4481cbc (close to v5.0.2) https://github.com/snapcore/snapd/blob/16631e228c07c969cc64737a2879cbe4ee71f01f/vendor/vendor.json#L18 

"checksumSHA1": "qwK75TRXmR/k8CiegYaeqaCDek4=",
"path": "github.com/godbus/dbus",
"revision": "4481cbc300e2df0c0b3cecc18b6c16c6c0bb885d",
"revisionTime": "2019-07-26T02:52:47Z"

Background

The godbus/dbus has already opted into module since the version updated to v5. Repo github.com/snapcore/snapd didn’t have module, so use the import path "github.com/godbus/dbus" to get godbus/dbus. This repo github.com/CanonicalLtd/serial-vault has already opted into module. So when github.com/CanonicalLtd/serial-vault try to get godbus/dbus through the indirect path "github.com/godbus/dbus", module pulled the last version of godbus/dbus which didn’t have go.mod, v4.1.0. From the Go Modules's point of view, path "github.com/godbus/dbus" equals to version v0/v1 or the latest version that didn’t use the module.

This resulted in version of godbus/dbus sticking at v4.1.0: https://github.com/CanonicalLtd/serial-vault/blob/master/go.mod#L8

github.com/godbus/dbus v4.1.0+incompatible // indirect

And actually the version that github.com/snapcore/snapd required is closed to v5.0.2. This may bring potential errors and problems

Solution

Add replace statement in the go.mod file:

replace github.com/godbus/dbus => github.com/godbus/dbus 4481cbc
KateGo520 commented 4 years ago

@glower Could you help me review this issue? Thx :p

glower commented 4 years ago

Yes, I will have a look