-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use go list -m -versions
to determine available versions of a go module
#4434
Conversation
go list returns a different error message: go list -m: malformed module path "pkg-errors": missing dot in first path element
go list -m properly handles retractions so this test is now passing
Prior error: go list -m: loading module retractions for github.com/dependabot-fixtures/go-modules-lib/[email protected]: version "v2.0.0" invalid: go.mod has non-.../v2 module path "github.com/dependabot-fixtures/go-modules-lib" (and .../v2/go.mod does not exist) at revision v2.0.0
644cf65
to
def8e5e
Compare
go mod list -m -versions
to determine available versions of a go modulego list -m -versions
to determine available versions of a go module
Very clever! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great, so glad we're able to get rid of gomodules-extracted
!
I believe the usage of SharedHelpers.run_shell_command will escape the args being passed to go mod list -m -versions and go mod edit to prevent command injection. I'd appreciate a 2nd look at this though.
That's right, unless we explicitly tell run_shell_command
to allow_unsafe_shell_command
it runs any command
we pass through Shellwords
which should protect against any command injection 👍
Looking forward to this release. |
Co-Authored-By: Mattt Zmuda <[email protected]> Co-Authored-By: Landon Grindheim <[email protected]>
File.write("go.mod", go_mod.content) | ||
manifest = parse_manifest | ||
|
||
# Set up an empty go.mod so 'go list -m' won't attempt to download dependencies. This |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One other observation from testing is that we can also run go list -m -versions
without a go.mod
and it works the same way. However, it won't know about the exclude directives and won't be able to apply them for us so creating a go.mod
with the excludes is still preferred.
case "getVersions": | ||
var args updatechecker.Args | ||
parseArgs(helperParams.Args, &args) | ||
funcOut, funcErr = updatechecker.GetVersions(&args) | ||
case "getVcsRemoteForImport": | ||
var args importresolver.Args | ||
parseArgs(helperParams.Args, &args) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May be able to delete this as well, I filed #4448 for that
Nicely done! I opened dependabot/gomodules-extracted#17 and dependabot/gomodules-extracted#18 as followups to this. |
I noticed one unanticipated side effect where Dependabot now updates major versions for |
This removes usage of the native helper to resolve available go module versions. Instead we'll use the existing go tooling which has added support for this. This has a few benefits:
We previously attempted this change in #3630 but the approach was abandoned after we found the change was negatively impacting performance. It was further noted that using
go list -m -versions
was causing the go tooling to download all of the modules referenced ingo.mod
and this accounted for the bulk of the performance hit. This appears to only happen whenGOPRIVATE=*
is set which we currently need to do to support private modules.As a workaround I found that providing a
go.mod
with no requirements was a way to sidestep the performance issue. We still end up getting the version information we are looking for and no extra modules are downloaded! The performance is close to the native version as well.Example output / performance
Using native helper
Using `go list -m -versions` with project `go.mod`
Using `go list -m -versions` with stub `go.mod` (this PR)
Other notes
SharedHelpers.run_shell_command
will escape the args being passed togo mod list -m -versions
andgo mod edit
to prevent command injection. I'd appreciate a 2nd look at this though.