stashvision icon indicating copy to clipboard operation
stashvision copied to clipboard
verified publisher icon darvid

Potential collision and risk from indirect dependence "github.com/etcd-io/bbolt"

Open KateGo520 opened this issue 5 years ago • 1 comments

Dependency line:

github.com/darvid/stashvision --> github.com/blevesearch/bleve v0.8.1 --> github.com/etcd-io/bbolt

Background

The etcd-io/bbolt has already renamed it’s import path from "github.com/etcd-io/bbolt" to "go.etcd.io/bbolt". As etcd-io/bbolt README.md said, downstream repos should use "go.etcd.io/bbolt" to get or import etcd-io/bbolt.

To start using Bolt, install Go and run go get:
>$ go get go.etcd.io/bbolt/...
This will retrieve the library and install the bolt command line utility into your $GOBIN path.

Importing bbolt
To use bbolt as an embedded key-value store, import as:
>import bolt "go.etcd.io/bbolt"
…

But blevesearch/bleve v0.8.1 still used the old path: https://github.com/blevesearch/bleve/blob/v0.8.1/index/store/boltdb/iterator.go#L20

import (
	"bytes"
	bolt "github.com/etcd-io/bbolt"
)

I find that go.etcd.io/bbolt and github.com/etcd-io/bbolt coexist in this repo: https://github.com/darvid/stashvision/blob/master/stashvision-go/go.mod (Line 19 & 38)

github.com/etcd-io/bbolt v1.3.3 // indirect
go.etcd.io/bbolt v1.3.3 // indirect

That’s because the etcd-io/bbolt has already renamed it’s import path from "github.com/etcd-io/bbolt" to "go.etcd.io/bbolt" in the version v1.3.3 . When go use the old path "github.com/etcd-io/bbolt" to import the etcd-io/bbolt, will reintroduces etcd-io/bbolt through the import statements "import go.etcd.io/bbolt" in the go source file of etcd-io/bbolt.

https://github.com/etcd-io/bbolt/blob/v1.3.3/cursor_test.go#L14

package bbolt_test
import (
	bolt "go.etcd.io/bbolt"
	…
)

The "go.etcd.io/bbolt" and "github.com/etcd-io/bbolt" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

  1. Add replace statement in the go.mod file:
replace github.com/etcd-io/bbolt => go.etcd.io/bbolt v1.3.3

Then clean the dependencies. 2. Update the direct dependency github.com/blevesearch/bleve. The latest version of github.com/blevesearch/bleve is v1.0.9. This problem does not exist in the new version. https://github.com/blevesearch/bleve/blob/v1.0.9/index/store/boltdb/iterator.go

package boltdb

import (
	"bytes"

	bolt "go.etcd.io/bbolt"
)

KateGo520 avatar Aug 12 '20 00:08 KateGo520

@darvid Could you help me review this issue? Thx :p

KateGo520 avatar Aug 12 '20 00:08 KateGo520