google
Policy on how recent the go version in the go.mod file can be
This point was brought up in In https://github.com/google/osv-scanner/pull/637.
We might like to make a policy that osv-scanner will only use versions of Go, say at least two release behind. This will help consumers know how up-to-date their version of Go should be to be able to use this as a library and as a CLI tool.
Based on my understanding of this blog, this problem may get less severe in the future for those with default settings: https://go.dev/doc/toolchain
The default GOTOOLCHAIN setting is auto
When GOTOOLCHAIN is set to
+auto or +path (or the shorthands auto or path), the go command selects and runs a newer Go version as needed. Specifically, it consults the toolchain and go lines in the current workspace’s go.work file or, when there is no workspace, the main module’s go.mod file. If the go.work or go.mod file has a toolchain line and is newer than the default Go toolchain, then the go command runs instead. If the file has a toolchain default line, then the go command runs the default Go toolchain, disabling any attempt at updating beyond . Otherwise, if the file has a go line and is newer than the default Go toolchain, then the go command runs go instead.
This issue has not had any activity for 60 days and will be automatically closed in two weeks
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
