search

darvid / stashvision

⚔️ A private stash indexing tool and in-game item highlighting overlay for Path of Exile. 🗡️🧰
MIT License
19 stars 4 forks source link

Potential collision and risk from indirect dependence "github.com/etcd-io/bbolt" #12

Open KateGo520 opened 4 years ago

KateGo520 commented 4 years ago

Dependency line:

github.com/darvid/stashvision --> github.com/blevesearch/bleve v0.8.1 --> github.com/etcd-io/bbolt

Background

The etcd-io/bbolt has already renamed it’s import path from "github.com/etcd-io/bbolt" to "go.etcd.io/bbolt". As etcd-io/bbolt README.md said, downstream repos should use "go.etcd.io/bbolt" to get or import etcd-io/bbolt.

To start using Bolt, install Go and run go get:
>$ go get go.etcd.io/bbolt/...
This will retrieve the library and install the bolt command line utility into your $GOBIN path.

Importing bbolt
To use bbolt as an embedded key-value store, import as:
>import bolt "go.etcd.io/bbolt"
…

But blevesearch/bleve v0.8.1 still used the old path: https://github.com/blevesearch/bleve/blob/v0.8.1/index/store/boltdb/iterator.go#L20

import (
    "bytes"
    bolt "github.com/etcd-io/bbolt"
)

I find that go.etcd.io/bbolt and github.com/etcd-io/bbolt coexist in this repo: https://github.com/darvid/stashvision/blob/master/stashvision-go/go.mod (Line 19 & 38)

github.com/etcd-io/bbolt v1.3.3 // indirect
go.etcd.io/bbolt v1.3.3 // indirect

That’s because the etcd-io/bbolt has already renamed it’s import path from "github.com/etcd-io/bbolt" to "go.etcd.io/bbolt" in the version v1.3.3 . When go use the old path "github.com/etcd-io/bbolt" to import the etcd-io/bbolt, will reintroduces etcd-io/bbolt through the import statements "import go.etcd.io/bbolt" in the go source file of etcd-io/bbolt.

https://github.com/etcd-io/bbolt/blob/v1.3.3/cursor_test.go#L14

package bbolt_test
import (
    bolt "go.etcd.io/bbolt"
    …
)

The "go.etcd.io/bbolt" and "github.com/etcd-io/bbolt" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

  1. Add replace statement in the go.mod file: 
    replace github.com/etcd-io/bbolt => go.etcd.io/bbolt v1.3.3

    Then clean the dependencies.

  2. Update the direct dependency github.com/blevesearch/bleve. The latest version of github.com/blevesearch/bleve is v1.0.9. This problem does not exist in the new version. https://github.com/blevesearch/bleve/blob/v1.0.9/index/store/boltdb/iterator.go 
    
package boltdb

import ( "bytes"

bolt "go.etcd.io/bbolt"

)

KateGo520 commented 4 years ago

@darvid Could you help me review this issue? Thx :p