-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decrease the specificity of the Go version in go.mod #370
Comments
What can be meaningfully specified on a See discussion e.g. on the Go repository here: See - golang/go#62278 (comment) Note that there are many linked issues to other projects, where they have had to do the same... add a patch release to the |
@dtrudg from that trhead you linked:
Can you talk us through your reasoning about picking the
|
@robdimsdale - I'll ask @tri-adam to chime in, but my understanding from the Go documentation and the thread linked is that...
This module is primarily used by sylabs/singularity - and there we had more issues with We also have upstream dependencies that are now specifying an https://github.com/sigstore/sigstore/blob/main/go.mod#L3 ... so it's not clear to me that we can avoid it anyway. |
@dtrudg Yeah, the transitive dependencies issue is exactly why we (https://github.com/paketo-buildpacks) are here. We don't use My understanding of the However, I accept that my understanding might be wrong. And even if I'm not wrong, I accept that we can't avoid updating transitive dependencies just because they bump the Honestly, we're just trying to keep our dependencies up to date via I'm happy to leave this issue open a little longer to ensure relevant parties have had a chance to weigh in. But personally, I think I'm convinced that we (paketo buildpacks) need to accept that transitive dependencies will require |
Okay - I'll see what @tri-adam says.... I must admit we (or at least I) went through a lot of somewhat confused discussion based on finding different ideas in issues when we first used a I would point out, though, that according to the syntax documented at the link below, the It's all really confusing given that 1.20, 1.19 etc. were language and release versions... but from https://go.dev/ref/mod#go-mod-file-go ![]() |
I can shed some light on why we went down this road. When we dropped Go 1.20 support (#351), I actually did go with Ultimately, on re-reading the documentation I came to the conclusion that
On this:
Yes... unfortunately I don't see a way out of that. We are facing this ourselves at the moment with Dependabot having pulled in a dependency which has bumped to Go 1.22.0 (#369). Having committed to supporting the current to stable releases of Go in this module, we have to either hold off on updating that module or change our policy around Go version compatibility... With all that said... @robdimsdale I'm curious what effects you are seeing. Could you drop a link to a Dependabot PR where we're generating extra noise? That certainly wasn't our intention, and I'd be curious to learn about any downstream effects. |
Sure thing - an example failure is this PR, which fails when trying to run tests with the following:
Running a The more I think about this, the more I think it's probably just a deficiency in github's dependabot. I don't really mind what patch version of (for extra context, part of why dependabot failures like this are annoying to us is because we manage dozens of repositories in the OSS and hundreds more like this in closed-source commercial repositories. I've probably closed 500 broken dependabot pull requests this week alone) |
Thanks for that, it helps fill in the gaps. I gather this is a direct result of the new requirement on that
Since SIF bumped to I agree that this is probably something Dependabot could/should automate. In reality this will come up fairly often as dependent modules adopt new minimum Go versions. As an aside, I think we were about to be forced to add the patch version to the To summarize, I think we'll stick with our current approach of specifying the patch level explicitly. Hope you can find a scalable solution to ease the Dependabot pain in all of those repos you are managing. Thanks for the discussion... I learned a lot from it. All the best! |
In 9ea2328 you added a patch version the to Go version inside of
go.mod
. This in turn means that all consumers of this module now need to specify the exact patch version as well instead of being able to set something likego 1.21
.Would it be possible to decrease the specificity of the version given to allow for an easier upgrade path using tools like dependabot?
The text was updated successfully, but these errors were encountered: