search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
121.11k stars 17.37k forks source link

x/exp/cmd/gorelease: retraction diagnostic reported for dependency which doesn't exist #66892

Open sbunce opened 2 months ago

sbunce commented 2 months ago

Go version

go 1.22.2

Output of go env in your module/workspace:

GO111MODULE='on'
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/seth.bunce/.cache/go-build'
GOENV='/home/seth.bunce/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/seth.bunce/go/pkg/mod'
GONOPROXY='github.robot.car'
GONOSUMDB='github.robot.car'
GOOS='linux'
GOPATH='/home/seth.bunce/go'
GOPRIVATE='github.robot.car'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/seth.bunce/src/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/seth.bunce/src/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.2'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/home/seth.bunce/go/src/github.robot.car/cruise/rbe/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3617164854=/tmp/go-build -gno-record-gcc-switches'

What did you do?

I have run gorelease.

What did you see happen?

gorelease printed two diagnostics and returned exit code 1

# diagnostics
required module github.com/microcosm-cc/bluemonday@v1.0.23 retracted by module author: Retract older versions as only latest is to be depended upon
required module go.mongodb.org/mongo-driver@v1.11.0 retracted by module author: Retract v1.11.0 through v1.11.2 because they contain a data race bug in

What did you expect to see?

I do not expect to see the diagnostics, because I do not have those modules listed in my go.mod as either direct or indirect dependencies.

I was able to get gorelease working by introducing a dependency on the retracted modules (which otherwise won't be in my go.mod after running "go mod tidy").

import (
    _ "github.com/microcosm-cc/bluemonday"
    _ "go.mongodb.org/mongo-driver/version"
)

Once depending on these dependencies (which I don't otherwise need). I was able to "go get" to get non-retracted versions.

go get github.com/microcosm-cc/bluemonday@v1.0.26
go get go.mongodb.org/mongo-driver@v1.15.0

The end result is that I've added extra unneeded dependencies to my project to make it so gorelease won't fail. This is definitely not working as intended.

cherrymui commented 2 months ago

cc @golang/tools-team