Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency version inconsistency #6

Open
Ben131-Go opened this issue Feb 2, 2023 · 0 comments
Open

Dependency version inconsistency #6

Ben131-Go opened this issue Feb 2, 2023 · 0 comments

Comments

@Ben131-Go
Copy link

It is a reminder of dependency version inconsistency introduced by replace directive used in github.com/smallstep/certificates.

Dependency line:

github.com/FederatedAI/FedLCM --> github.com/smallstep/certificates --> go.mozilla.org/pkcs7

github.com/smallstep/certificates v0.23.0 --> github.com/smallstep/pkcs7 e1aab68

https://github.com/smallstep/certificates/blob/v0.23.0/go.mod#L160

Background

Repo github.com/smallstep/certificates at version v0.23.0 uses replace directive to pin dependency github.com/smallstep/pkcs7 to version e1aab68.

According to Go Modules wikis, replace directives in modules other than the main module are ignored when building the main module.
It means such replace usage in dependency's go.mod cannot be inherited when building main module. And it turns out that FederatedAI/FedLCM indirectly relies on go.mozilla.org/pkcs7@33d0574, which is different from the pinned version smallstep/certificates needed.

https://github.com/FederatedAI/FedLCM/blob/main/go.mod(Line 189)

go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect

https://github.com/smallstep/certificates/blob/v0.23.0/go.mod(line 44&160)

go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
...
// use github.com/smallstep/pkcs7 fork with patches applied
replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20221024180420-e1aab68dda05

It seems that github.com/smallstep/certificates replaces go.mozilla.org/pkcs7 for some patches applied in github.com/smallstep/pkcs7.

Solution

1. Bump the version of dependency github.com/smallstep/certificates

If it doesn't cause issues at the moment, you may wait github.com/smallstep/certificates to eliminate the use of the replace directive and then update it.

2. Add the same replace rule to your go.mod

replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20221024180420-e1aab68dda05

Tips: Introduce replace directive may break go install and it can not be inherited by downstream projects. So, this solution is not recommended.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant