Closed jhump closed 2 years ago
go mod graph
can be helpful in these situations:
go mod graph | grep golang.org/x/text@v0.3.2 NL-9389-bump-golang-text-lib-past-CVE
cloud.google.com/go@v0.56.0 golang.org/x/text@v0.3.2
go.opencensus.io@v0.22.3 golang.org/x/text@v0.3.2
golang.org/x/text@v0.3.2 golang.org/x/tools@v0.0.0-20180917221912-90fa682c2a6e
google.golang.org/api@v0.20.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.52.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.15.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.17.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.53.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.18.0 golang.org/x/text@v0.3.2
go.opencensus.io@v0.22.2 golang.org/x/text@v0.3.2
google.golang.org/appengine@v1.6.5 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.50.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.44.2 golang.org/x/text@v0.3.2
google.golang.org/api@v0.8.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.44.1 golang.org/x/text@v0.3.2
google.golang.org/api@v0.7.0 golang.org/x/text@v0.3.2
google.golang.org/appengine@v1.6.1 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.45.1 golang.org/x/text@v0.3.2
go.opencensus.io@v0.22.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.9.0 golang.org/x/text@v0.3.2
cloud.google.com/go@v0.46.3 golang.org/x/text@v0.3.2
google.golang.org/api@v0.14.0 golang.org/x/text@v0.3.2
google.golang.org/api@v0.13.0 golang.org/x/text@v0.3.2
Points to: https://github.com/googleapis/google-cloud-go/blob/v0.56.0/go.mod#L23
There may be others as well, but that's an obvious one.
Looks like the latest version of cloud.google.com/go
completely dropped that dep: https://github.com/googleapis/google-cloud-go/blob/v0.100.2/go.mod
@jhump any chance of cutting a new release with this?
Trying to switch my makefile from go get
to go install
but in that case my local pin override won't take effect, it simply installs what is specified here in grpcurl
... so a tagged release with this fixed would be more convenient than having to pin to a specific commit.
Resolves #274.
Sadly,
go mod why golang.org/x/text
just reports this:It would be nice to know via what path of indirect deps this module is entering the dependency graph. That way we could update the appropriate direct dependency (or dependencies).