Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stop bumping go directive unless necessitated by other dependencies #1454

Open
kaovilai opened this issue Dec 24, 2024 · 1 comment
Open

Comments

@kaovilai
Copy link

This repo by itself should not be enforcing minimum on other repositories importing it. Stop spreading "minimum virus"

toolchain version used will be defined outside of go.mod ideally, such as by installing a newer compatible go toolchain to ci/cd/development env.

Failing that, toolchain directive should be used instead of go directive for bumping versions to not cascade minimum versions to importing dependencies.

toolchain directive, in contrast to the go directive, applies only to the current module (the one defined by the go.mod file). It suggests the toolchain to be used when in that very module, and doesn't propagate to other modules.

High profile repos that have removed/reduced minimum go patch version per user requests

Being proactive to prevent following from reoccuring

@kaovilai
Copy link
Author

@kaovilai ➜ /workspaces/apko (main) $ go mod graph | grep go@1.23
chainguard.dev/apko go@1.23.4
chainguard.dev/go-grpc-kit@v0.17.7 go@1.23.1
chainguard.dev/sdk@v0.1.29 go@1.23.3
go@1.23.4 toolchain@go1.23.4
k8s.io/apimachinery@v0.32.0 go@1.23.0
sigs.k8s.io/release-utils@v0.8.5 go@1.23

Nothing in this repo necessitated 1.23.1. In fact, it is shown that the lowest required by other deps is 1.23.1 as required by chainguard.dev/sdk@v0.1.29

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant