search

ghetzel / pivot

An extensible database abstraction service, written in Golang.
GNU Lesser General Public License v2.1
66 stars 5 forks source link

Potential collision and risk from indirect dependence "github.com/gotestyourself/gotestyourself" #21

Open KateGo520 opened 4 years ago

KateGo520 commented 4 years ago

Background

Repo ghetzel/pivot used the old path to import gotestyourself indirectly. This caused that github.com/gotestyourself/gotestyourself and gotest.tools coexist in this repo: https://github.com/ghetzel/pivot/blob/master/go.mod (Line 40 & 77)

github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
gotest.tools v2.2.0+incompatible // indirect

That’s because the gotestyourself has already renamed it’s import path from "github.com/gotestyourself/gotestyourself" to "gotest.tools". When you use the old path "github.com/gotestyourself/gotestyourself" to import the gotestyourself, will reintroduces gotestyourself through the import statements "import gotest.tools" in the go source file of gotestyourself.

https://github.com/gotestyourself/gotest.tools/blob/v2.2.0/fs/example_test.go#L8 

package fs_test
import (
    …
    "gotest.tools/assert"
    "gotest.tools/assert/cmp"
    "gotest.tools/fs"
    "gotest.tools/golden"
)

"github.com/gotestyourself/gotestyourself" and "gotest.tools" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

Add replace statement in the go.mod file:

replace github.com/gotestyourself/gotestyourself => gotest.tools v2.3.0

Then clean the go.mod.

KateGo520 commented 4 years ago

@ghetzel Could you help me review this issue? Thx :p