chainguard-dev / gobump

Go tool to declaratively bump dependencies.
Apache License 2.0
7 stars 11 forks source link

add error msg to set the dep into replaces #18

Closed hectorj2f closed 10 months ago

hectorj2f commented 10 months ago

Whenever we set in deps a dependency that will get removed once go mod tidy runs, we need to return a proper error that indicates how to solve it. In this case, the way to solve requires to add it to the list of replaces.

luhring commented 10 months ago

I may be misunderstanding this, but is it possible that the reason go mod tidy removed it from go.mod is that the dependency is no longer needed at all (any version)?

If the goal is to resolve a vulnerability, and based on other updates, the project no longer has a need for a given Go module dependency, wouldn't it be bette not to add it to replaces?

hectorj2f commented 10 months ago

@luhring Good question. Yes and no, this can happen in both scenarios, when you don't need a dep (what you mention) or when you really want a specific version of a dependency that is not vulnerable but other deps OR go-mod-tidy reverted that change. For instance, I want a specific version of otel/grpctrace but go mod tidy does revert my change because other deps use another dependency, etc... If I really know that this dep is what I want, I need to add it to replaces (together with other deps otel, otel/sdk...) to instruct go mod tidy to stick with a certain version instead of another.