gomod
gomod copied to clipboard
Show dependency graph leading to a package with a certain version
Feature request
Checklist
- [x] The feature / improvement you are suggesting overlaps with the purpose of
gomod
: facilitating the management of Go modules and their dependencies. - [x] You have examined various alternatives to the new feature / improvement you are suggesting and are describing the results in the description below.
- [x] You have filled in the three sections below and deleted their corresponding placeholders texts.
Description
While
gomod graph 'rdeps(github.com/mypackage)'
works great to find how certain packages got included in the dep chain, sometimes it is useful to know that for a specific version of that package. In my case, I have multiple different versions of github.com/mypackage
deep down in my dependency chain. Though one of them has a known vulnerability. So I want to know how that version ended up on the chain, and what packages I might have to update to fix that issue.
Essentially I would love to be able to do this:
gomod graph 'rdeps(github.com/[email protected])'
I too encountered since problem and couldn't find a satisfactory solution. I wrote this to solve it: https://github.com/JoelColledge/gomodtree But it would be better to have this functionality in this project, since it is generally much more powerful.
agree, we're also having this issue
@JoelColledge how to use your tool? mine doesn't seem to print a lot of useful information (nothing really)
@JoelColledge how to use your tool? mine doesn't seem to print a lot of useful information (nothing really)
@RobinUS2 I'm afraid I don't remember anything about it other than what I wrote in the README in the tool's repo. Perhaps check that go mod graph
is giving meaningful output.
Yes go mod graph
is fine, maybe it's a Go version thing (having 1.18.2 here), wrote something myself that does what I needed: https://github.com/RobinUS2/godephunter
Hello folks. Just a quick message to drop-in and acknowledge the ticket. I sincerely apologise for the (way too) long delay. For some reason something had switched off notifications about new issues in this project and my own development has been dormant. 🤦
I will try to get to this over the next few weeks to see what needs doings. If someone wants to take a stab themselves at adding this please let me know as well so we don't do double work.
Hey @Helcaraxan, no worries, your work is appreciated either way!