downgrade go-difflib and go-spew to tagged releases #5654
Conversation
github-actions
bot
added
the
area/dependencies
go.mod
Outdated
| exclude ( | ||
| // These dependencies were updated to "master" in some modules we depend on, | ||
| // but have no code-changes since their last release. Unfortunately, this also | ||
| // causes a ripple effect, forcing all users of the containerd module to also | ||
| // update these dependencies to an unrelease / un-tagged version. | ||
| // | ||
| // Both these dependencies will unlikely do a new release in the near future, | ||
| // so exclude these versions so that we can downgrade to the current release. | ||
| // | ||
| // For additional details, see this PR and links mentioned in that PR: | ||
| // https://github.com/kubernetes-sigs/kustomize/pull/5830#issuecomment-2569960859 | ||
| github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc | ||
| github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 | ||
| ) |
There was a problem hiding this comment.
iiuc we need to keep these exclusions until spf13/viper#1861 is part of a tagged release?
There was a problem hiding this comment.
Yeah, and until other indirect dependencies are updated (I was hoping the patch in containerd (containerd/containerd#11222) would help, but the nydus-snapshotter and stargz-snapshotter modules still have the wrong version and are a direct dependency of BuildKit, so those now push them to the untagged versions.
| @@ -184,3 +184,18 @@ require ( | |||
| tags.cncf.io/container-device-interface v0.8.0 // indirect | |||
| tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect | |||
| ) | |||
|
|
|||
| exclude ( | |||
| // These dependencies were updated to "master" in some modules we depend on, | |||
There was a problem hiding this comment.
what modules? (I guess nydus-snapshotter and stargz-snapshotter but not sure)
There was a problem hiding this comment.
spf13/viper was the initial one, but that made it through to kustomize, kustomize to kubernetes, kubernetes to containerd, containerd to stargz
There was a problem hiding this comment.
If it is already in containerd then what is it breaking for "all users of the containerd module" ? Or doesn't this need to go to containerd's go.mod then?
There was a problem hiding this comment.
Trying to break the cycle; currently all users of buildkit and moby will be forced to update the dependency to a version that will never be released.
There was a problem hiding this comment.
hmm, I'm looking at containerd v2.0.2 (vendored in buildkit) and it already has this same patch containerd/containerd@f341477 (from you). So the newer versions are not breaking anything for buildkit itself, but afaics your claim is that they may break something for someone importing buildkit (and through it containerd). But if these exclude rules do not carry over to the caller (as they have not carried from containerd to buildkit) then any caller would need to add their own exclude rules anyway. If that's the case then what's the improvement from buildkit adding these extra rules.
There was a problem hiding this comment.
s/archived/ or marked "unmaintained"
There was a problem hiding this comment.
Are these excludes more "dependency hygiene" than fixing an actual issue? I'm trying to figure out if we are going to keep these excludes "forever".
There was a problem hiding this comment.
(Assuming exclude propagates but gets overwritten by other deps)
Can we add a comment that these are downgraded in containerd 2.0.2 but because nydus-snapshotter, stargz-snapshotter do not depend on 2.0.2 yet that downgrade does not work unless we make one explicitly.
There was a problem hiding this comment.
There is no particular issue. The world still exists, the wheels keep rolling.
I look at go.mod and see a noticeable amount of untagged deps. But for some reason, @thaJeztah cares a lot more about these two than about others.
I'm trying to figure out if we are going to keep these excludes "forever".
@thaJeztah hopes he can stop the plague by quick downgrade of every place where these deps already got (though nothing prevents this from happening again).
To be honest, I'd declare a dep with last commit in 2018 as dead and requiring a complete replacement.
There was a problem hiding this comment.
The other untagged versions don't tag releases, so there's no release to choose from.
These dependencies were updated to "master" in some modules we depend on, but have no code-changes since their last release. Unfortunately, this also causes a ripple effect, forcing all users of the containerd module to also update these dependencies to an unrelease / un-tagged version. Both these dependencies will unlikely do a new release in the near future, so exclude these versions so that we can downgrade to the current release. For additional details, see [this PR][1] and links mentioned in it. [1]: kubernetes-sigs/kustomize#5830 (comment) Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
downgrade_tagged_releases
branch
from
caa0299 to
60b4760
Compare
These dependencies were updated to "master" in some modules we depend on, but have no code-changes since their last release. Unfortunately, this also causes a ripple effect, forcing all users of the containerd module to also update these dependencies to an unrelease / un-tagged version.
Both these dependencies will unlikely do a new release in the near future, so exclude these versions so that we can downgrade to the current release.
For additional details, see this PR and links mentioned in it.