Closed ChandlerSwift closed 3 weeks ago
If either a downgrade to hcl@v1.0.0
or an upgrade to hcl@v1.0.1-vault-5
(the newest 1.x version) or something else entirely makes sense, I'd be happy to open a PR for such! But I figured I'd make sure that made sense before making and testing a PR.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for raising this issue.
This is still an issue.
Describe the bug I generally run
go
withGOPROXY=direct
, which bypasses the Google-run module cache and downloads modules sources directly from their repos. Terragrunt fails to be built with this option set, due to a hash mismatch on an indirect dependency.To Reproduce I ran these commands in a current
golang
docker container, to make sure nothing in my environment was causing (additional) issues:Expected behavior This build should succeed.
Additional context I'm not a go packaging expert, so take all this with a healthy grain of salt :) My understanding is that go's tooling all makes the (reasonable) assumption that a tagged release will not change. However, it turns out that
1.0.1-vault
is in fact a branch, not a tag, and it has moved. proxy.golang.org, being a caching proxy, provides the first seen version of 1.0.1-vault (which I believe to be https://github.com/hashicorp/hcl/commit/809e678c39ec71ae0b37a792de60b7e10e571dfe), while an install withGOPROXY=direct
fetches the tip of the branch from its repo, which is https://github.com/hashicorp/hcl/commit/cf4c4bf2466d28b8fd0e9953ee5eb7caa3af5418.It doesn't seem to me like there's an obvious way to make the
hcl@1.0.1-vault
dependency work; either I leave it with an outdated hash so that it works with the proxy (and presumably, for the majority of Go users who don't override the defaultGOPROXY
option), or I update the hash and it works for me but breaks for anyone who uses the default proxy.However, a fairly straightforward fix would be to either upgrade or downgrade the version of the indirect dependency; it appears to be required only by https://github.com/hashicorp/terraform-config-inspect/blob/master/go.mod#L6C1-L6C61 which merely requires a version greater than
v0.0.0-20170504190234-a4b07c25de5f
and less than 2.0, so any of the versions listed at https://pkg.go.dev/github.com/hashicorp/hcl?tab=versions (which are all tags, exceptv1.0.1-vault
which we had the bad luck to land on) should work.