FedLCM icon indicating copy to clipboard operation
FedLCM copied to clipboard

Published 20 hours ago verified publisher icon FederatedAI

Dependency version inconsistency

Open Ben131-Go opened this issue 2 years ago • 0 comments

It is a reminder of dependency version inconsistency introduced by replace directive used in github.com/smallstep/certificates.

Dependency line:

github.com/FederatedAI/FedLCM --> github.com/smallstep/certificates --> go.mozilla.org/pkcs7
github.com/smallstep/certificates v0.23.0 --> github.com/smallstep/pkcs7 e1aab68
https://github.com/smallstep/certificates/blob/v0.23.0/go.mod#L160

Background

Repo github.com/smallstep/certificates at version v0.23.0 uses replace directive to pin dependency github.com/smallstep/pkcs7 to version e1aab68.
According to Go Modules wikis, replace directives in modules other than the main module are ignored when building the main module. It means such replace usage in dependency's go.mod cannot be inherited when building main module. And it turns out that FederatedAI/FedLCM indirectly relies on go.mozilla.org/pkcs7@33d0574, which is different from the pinned version smallstep/certificates needed.

https://github.com/FederatedAI/FedLCM/blob/main/go.mod(Line 189)

go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect

https://github.com/smallstep/certificates/blob/v0.23.0/go.mod(line 44&160)

go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
...
// use github.com/smallstep/pkcs7 fork with patches applied
replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20221024180420-e1aab68dda05

It seems that github.com/smallstep/certificates replaces go.mozilla.org/pkcs7 for some patches applied in github.com/smallstep/pkcs7.

Solution

1. Bump the version of dependency github.com/smallstep/certificates

If it doesn't cause issues at the moment, you may wait github.com/smallstep/certificates to eliminate the use of the replace directive and then update it.

2. Add the same replace rule to your go.mod

replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20221024180420-e1aab68dda05

Tips: Introduce replace directive may break go install and it can not be inherited by downstream projects. So, this solution is not recommended.

Ben131-Go avatar Feb 02 '23 07:02 Ben131-Go