Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): Relax go minor version requirement #6595

Merged
merged 6 commits into from
Jan 11, 2025

Conversation

arjan-bal
Copy link
Contributor

grpc-go 1.68.0 added the go minor version when bumping the go version from go1.21 to go1.22. Due to user feedback, gRPC Go decided to drop the Go minor version in grpc/grpc-go#7831 which was part of grpc-go 1.68.1. Quoting this comment from @ash2k:

The issue with specifying the patch version that is not 0 is that now all modules that import this module will have to use this or a newer version. There may be reasons people don't or cannot use the more recent patch version. FWIW I think a library shouldn't have an opinion on the patch version used.

An example of this - we use https://github.com/golang-fips/go/ to provide FIPS-compatible builds. Not all Go versions may be available there e.g. right now there is no 1.23.2. Go 1.22.7 was released 2024-09-05 but FIPS version was tagged 2024-09-27. If grpc-go released a CVE fix in the window of those 22 days, we wouldn't have been able to upgrade.

TL;DR this doesn't benefit grpc-go in any way but might hurt your users.

When the grpc-go version in opentelemetry-go-contrib was bumped, the go minor version got added to this repo's mod files: #6306

When grpc-go is bumping the version of go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelg
rpc
, the go minor version is getting added again. This PR aims to relax the min version requirement to avoid this.

@pellared
Copy link
Member

pellared commented Jan 10, 2025

  1. There are more modules that depend on go 1.22.7. Can you downgrade to go 1.22.0 there as well?
  2. Please add a changelog entry.

For reference: open-telemetry/opentelemetry-go#6073 (you may need to bump OTel Go to at least open-telemetry/opentelemetry-go@0b00bfb)

@arjan-bal
Copy link
Contributor Author

  1. There are more modules that depend on go 1.22.7. Can you downgrade to go 1.22.0 there as well?

Nope, running go mod tidy on the remaining modules bumps the version back up to 1.22.7. I didn't look into which dependency is causing it.

Please add a changelog entry.

Added.

@arjan-bal
Copy link
Contributor Author

arjan-bal commented Jan 10, 2025

The deps that are preventing other packages from using go1.22.0 are in go.opentelemetry.io/otel:

  1. otel/exporters/otlp/otlplog/otlploghttp@v0.9.0
  2. otel/exporters/otlp/otlplog/otlploggrpc@v0.9.0
  3. otel/exporters/otlp/otlptrace@v1.33.0
  4. otel/exporters/otlp/otlpmetric/otlpmetricgrpc@v1.33.0
  5. otel/exporters/otlp/otlpmetric/otlpmetrichttp@v1.33.0
  6. otel/exporters/otlp/otlptrace/otlptracehttp@v1.33.0
  7. otel/exporters/otlp/otlptrace/otlptracegrpc@v1.33.0

I think they can be relaxed by updating the opentelemetry-go repo first.

@pellared
Copy link
Member

Nope, running go mod tidy on the remaining modules bumps the version back up to 1.22.7. I didn't look into which dependency is causing it.

See:

For reference: open-telemetry/opentelemetry-go#6073 (you may need to bump OTel Go to at least open-telemetry/opentelemetry-go@0b00bfb)

@arjan-bal
Copy link
Contributor Author

@pellared, should we keep this PR on hold till the next opentelemetry-go release, so that we can change the remaining modules?

@MrAlias
Copy link
Contributor

MrAlias commented Jan 10, 2025

@pellared, should we keep this PR on hold till the next opentelemetry-go release, so that we can change the remaining modules?

I would upgrade those dependencies on otel that are blocking to the commit hash version that fixes things.

@arjan-bal
Copy link
Contributor Author

@MrAlias I've bumped only the dependencies that were needed to relax the go version. PTAL.

@MrAlias
Copy link
Contributor

MrAlias commented Jan 10, 2025

@arjan-bal what about go.opentelemetry.io/contrib/tools?

@arjan-bal
Copy link
Contributor Author

go.opentelemetry.io/contrib/tools

The minor version in that module is due to the following dependencies:

  • github.com/gostaticanalysis/testutil@v0.5.0/go.mod:go 1.22.9
  • github.com/gostaticanalysis/comment@v1.5.0/go.mod:go 1.22.9

@MrAlias
Copy link
Contributor

MrAlias commented Jan 10, 2025

go.opentelemetry.io/contrib/tools

The minor version in that module is due to the following dependencies:

  • github.com/gostaticanalysis/testutil@v0.5.0/go.mod:go 1.22.9
  • github.com/gostaticanalysis/comment@v1.5.0/go.mod:go 1.22.9

Gotcha, thanks for tracking that down. I think the tools module may be something we can exclude from here. Thoughts @pellared et al.?

@pellared
Copy link
Member

@arjan-bal, thank you for your contribution 🥇

@pellared pellared merged commit 0b18cfe into open-telemetry:main Jan 11, 2025
26 checks passed
@MrAlias MrAlias added this to the v1.34.0 milestone Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants