Potential collision and risk from indirect dependence "github.com/rsc/qr"

[KateGo520]

Dependency line:

github.com/kreuzwerker/awsu --> github.com/mdp/qrterminal v1.0.0 --> github.com/rsc/qr

github.com/mdp/qrterminal v1.0.0 --> github.com/rsc/qr (No version information) https://github.com/mdp/qrterminal/blob/v1.0.0/qrterminal.go#L7

package qrterminal
import (
    "io"
    "strings"
    "github.com/rsc/qr"
) 

Background

Repo mdp/qrterminal used the old path to import rsc/qr， and didn’t use module in the version v1.0.0. This caused that github.com/rsc/qr and rsc.io/qr coexist in this repo： https://github.com/kreuzwerker/awsu/blob/master/go.mod （Line 9 & 18）

github.com/rsc/qr v0.1.0
rsc.io/qr v0.2.0 // indirect 

That’s because the rsc/qr has already renamed it’s import path from "github.com/rsc/qr" to "rsc.io/qr". When you use the old path "github.com/rsc/qr" to import the rsc/qr, will reintroduces rsc/qr through the import statements "import rsc.io/qr" in the go source file of rsc/qr.

https://github.com/rsc/qr/blob/v0.1.0/qr.go#L15

package qr
import (
    "errors"
    "image"
    "image/color"
    "rsc.io/qr/coding"
)

"github.com/rsc/qr" and "rsc.io/qr" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

1. Add replace statement in the go.mod file:

   replace github.com/rsc/qr => rsc.io/qr v0.1.0

   Then clean the go.mod.

2. Update the direct dependency github.com/mdp/qrterminal. This problem does not exist in the latest version v3.0.0 of github.com/mdp/qrterminal.

https://github.com/mdp/qrterminal/blob/v3.0.0/qrterminal.go#L7

package qrterminal
import (
    "io"
    "strings"
    "rsc.io/qr"
)

[KateGo520]

@yawn @wontonst Could you help me review this issue? Thx :p

[yawn]

Sorry, still on vacation - can it wait until beginning of next month?