-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deps: update dependencies for all modules #7624
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #7624 +/- ##
=======================================
Coverage 81.87% 81.87%
=======================================
Files 361 361
Lines 27813 27813
=======================================
+ Hits 22771 22772 +1
Misses 3847 3847
+ Partials 1195 1194 -1 |
@@ -1,6 +1,6 @@ | |||
module google.golang.org/grpc/cmd/protoc-gen-go-grpc | |||
|
|||
go 1.21 | |||
go 1.22.7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it necessary to specify a patch version here? Or is this just what go get go@1.22
does?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the default behaviour when running go get go@1.22 && go mod tidy
. This change seems to be introduced in the Go toolchain since 1.21: https://tip.golang.org/doc/go1.21#tools
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue with specifying the patch version that is not 0
is that now all modules that import this module will have to use this or a newer version. There may be reasons people don't or cannot use the more recent patch version. FWIW I think a library shouldn't have an opinion on the patch version used.
An example of this - we use https://github.com/golang-fips/go/ to provide FIPS-compatible builds. Not all Go versions may be available there e.g. right now there is no 1.23.2. Go 1.22.7 was released 2024-09-05 but FIPS version was tagged 2024-09-27. If grpc-go released a CVE fix in the window of those 22 days, we wouldn't have been able to upgrade.
TL;DR this doesn't benefit grpc-go in any way but might hurt your users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the dependencies for grpc-go are bumped to the latest versions soon after a release branch is cut. If any dependency specifies a patch version > 0, grpc-go will also need to specify at least that version.
There are some measures preventing the example scenario mentioned above:
- Once the Go version is bumped, the change will enter the first release branch after roughly 6 weeks.
- grpc-go does patch releases for recent minor versions. So the security patch would be applied to older releases as well. Older grpc-go releases would be using an older version of Go.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If any dependency specifies a patch version > 0, grpc-go will also need to specify at least that version.
I understand. This is not under your control, of course. Is this actually happening?
There are some measures preventing the example scenario mentioned above:
Yes. But then I also cannot use the latest version some times.
I can only repeat what I've said already - this doesn't benefit grpc-go in any way but might hurt your users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree completely with @ash2k. Upgrading the toolchain involves a lot of testing. This library (or any other) should not force patch versions. I think it was a mistake the Go authors even introduced that concept.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed with other maintainers and we decided to remove the go minor versions: #7831
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lol good call. 👍
Our CI last night saw red across all our microservices via dependabot updates. 😅
Are we able to get a patch release?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't plan to do a patch release for this change alone. If there are bugs discovered in 1.68.0, we may cherry-pick the change into the next patch release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How often are minor versions created (ie. is there a v1.69.0 in the works)? If there are no plans for a v1.69.0, and let's say there happen to be 0 bugs nor vulnerabilities in 1.68.0, then people who cannot use go1.22.7 would not be able to use v1.68.0.
If there are plans to get a v1.69.0 out sometime in the near future, then not backporting this fix into v1.68 isn't a huge deal. If there are no plans, then I think this, alone, is worth backporting into v1.68.1 so people can use it.
Adding this to the conversation over at: golang/go#65847 Tracking issues related to the changes to the go/toolchain directive |
Some of the dependencies required
go1.22
. Following the release instructions, the minimum go version for all modules is bumped togo1.22.7
sincego1.23
is the latest release.RELEASE NOTES:
go1.22.7
.