gomod icon indicating copy to clipboard operation
gomod copied to clipboard

Published 20 hours ago verified publisher icon Helcaraxan

Show dependency graph leading to a package with a certain version

Open MoSattler opened this issue 2 years ago • 6 comments

Feature request

Checklist

  • [x] The feature / improvement you are suggesting overlaps with the purpose of gomod: facilitating the management of Go modules and their dependencies.
  • [x] You have examined various alternatives to the new feature / improvement you are suggesting and are describing the results in the description below.
  • [x] You have filled in the three sections below and deleted their corresponding placeholders texts.

Description

While

gomod graph 'rdeps(github.com/mypackage)'

works great to find how certain packages got included in the dep chain, sometimes it is useful to know that for a specific version of that package. In my case, I have multiple different versions of github.com/mypackage deep down in my dependency chain. Though one of them has a known vulnerability. So I want to know how that version ended up on the chain, and what packages I might have to update to fix that issue.

Essentially I would love to be able to do this:

gomod graph 'rdeps(github.com/[email protected])'

MoSattler avatar Sep 30 '21 08:09 MoSattler

I too encountered since problem and couldn't find a satisfactory solution. I wrote this to solve it: https://github.com/JoelColledge/gomodtree But it would be better to have this functionality in this project, since it is generally much more powerful.

JoelColledge avatar Nov 11 '21 10:11 JoelColledge

agree, we're also having this issue

@JoelColledge how to use your tool? mine doesn't seem to print a lot of useful information (nothing really)

RobinUS2 avatar Jun 15 '22 11:06 RobinUS2

@JoelColledge how to use your tool? mine doesn't seem to print a lot of useful information (nothing really)

@RobinUS2 I'm afraid I don't remember anything about it other than what I wrote in the README in the tool's repo. Perhaps check that go mod graph is giving meaningful output.

JoelColledge avatar Jun 20 '22 11:06 JoelColledge

Yes go mod graph is fine, maybe it's a Go version thing (having 1.18.2 here), wrote something myself that does what I needed: https://github.com/RobinUS2/godephunter

RobinUS2 avatar Jun 20 '22 13:06 RobinUS2

Hello folks. Just a quick message to drop-in and acknowledge the ticket. I sincerely apologise for the (way too) long delay. For some reason something had switched off notifications about new issues in this project and my own development has been dormant. 🤦

I will try to get to this over the next few weeks to see what needs doings. If someone wants to take a stab themselves at adding this please let me know as well so we don't do double work.

Helcaraxan avatar Jul 25 '22 17:07 Helcaraxan

Hey @Helcaraxan, no worries, your work is appreciated either way!

MoSattler avatar Jul 26 '22 09:07 MoSattler