force a transitive dependency version in golang

huangapple go评论96阅读模式
英文:

force a transitive dependency version in golang

问题

我对golang中的依赖关系有一个问题。
我的应用程序定义了一个类似这样的go.mod文件:

module my.host.com/myapp

require (
	ext1.com/module1 v0.0.1
)

go 1.14

依赖关系如下:

  1. ext1.com/module1 v0.0.1 依赖于 ext3.com/module3 v0.0.3

安全扫描检测到 ext3.com/module3 v0.0.3 存在安全问题,必须更新到 v0.0.4

有没有一种方法可以“强制”myapp只获取 module3 v0.0.4,覆盖了 module1 v0.0.1 go.mod中定义的指令?

  1. 假设 ext1.com/module1 v0.0.1 已经是最新版本,所以升级它不起作用。

使用"replace"可以吗?

module my.host.com/myapp

require (
	ext1.com/module1 v0.0.1
)

replace ext3.com/module3 v0.0.3 => ext3.com/module3 v0.0.4

go 1.14

提前感谢!

英文:

I have a question about dependencies in golang.
My application defines a go.mod like this:

module my.host.com/myapp

require (
	ext1.com/module1 v0.0.1
)

go 1.14

The dependency relationship is:

  1. ext1.com/module1 v0.0.1 depends on ext3.com/module3 v0.0.3

A security scan detects ext3.com/module3 v0.0.3 is insecure and must be updated to v0.0.4.

Is there a way to "force" myapp to get only module3 v0.0.4, overriding the directives defined in module1 v0.0.1 go.mod?

  1. Let's say ext1.com/module1 v0.0.1 is already at the latest version, so upgrading it doesn't work.

Would "replace" work?

module my.host.com/myapp

require (
	ext1.com/module1 v0.0.1
)

replace ext3.com/module3 v0.0.3 => ext3.com/module3 v0.0.4

go 1.14

Thanks in advance!

答案1

得分: 1

运行 go get -u ext3.com/module3@v0.0.4

这将升级模块至至少v0.0.4版本。

给定依赖关系main -> B -> C,当main需要比B所需的C版本更高时,会选择更高的版本,并添加// indirect

请参考这个链接:https://go.dev/ref/mod#go-mod-file-require

> 如果go指令指定的是go 1.16或更低版本,当所选模块的版本高于主模块的其他依赖(通过传递)时,go命令会添加一个间接要求。这可能是因为显式升级(go get -u ./...)

我引用这部分是因为你的go.mod文件中有go 1.14

英文:

Run go get -u ext3.com/module3@v0.0.4.

This upgrades the module to at least the v0.0.4

Given the dependency main -> B -> C, when main requires a higher version of C than that required by B, the higher version is selected, with // indirect.

See this https://go.dev/ref/mod#go-mod-file-require

> If the go directive specifies go 1.16 or lower, the go command adds an indirect requirement when the selected version of a module is higher than what is already implied (transitively) by the main module’s other dependencies. That may occur because of an explicit upgrade (go get -u ./...)

I quote this part because your go.mod has go 1.14

huangapple
  • 本文由 发表于 2021年11月25日 01:17:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/70100325.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定