kreuzwerker
Potential collision and risk from indirect dependence "github.com/rsc/qr"
Dependency line:
github.com/kreuzwerker/awsu --> github.com/mdp/qrterminal v1.0.0 --> github.com/rsc/qr
github.com/mdp/qrterminal v1.0.0 --> github.com/rsc/qr (No version information) https://github.com/mdp/qrterminal/blob/v1.0.0/qrterminal.go#L7
package qrterminal
import (
"io"
"strings"
"github.com/rsc/qr"
)
Background
Repo mdp/qrterminal used the old path to import rsc/qr, and didn’t use module in the version v1.0.0.
This caused that github.com/rsc/qr and rsc.io/qr coexist in this repo:
https://github.com/kreuzwerker/awsu/blob/master/go.mod (Line 9 & 18)
github.com/rsc/qr v0.1.0
rsc.io/qr v0.2.0 // indirect
That’s because the rsc/qr has already renamed it’s import path from "github.com/rsc/qr" to "rsc.io/qr". When you use the old path "github.com/rsc/qr" to import the rsc/qr, will reintroduces rsc/qr through the import statements "import rsc.io/qr" in the go source file of rsc/qr.
https://github.com/rsc/qr/blob/v0.1.0/qr.go#L15
package qr
import (
"errors"
"image"
"image/color"
"rsc.io/qr/coding"
)
"github.com/rsc/qr" and "rsc.io/qr" are the same repos. This will work in isolation, bring about potential risks and problems.
Solution
- Add replace statement in the go.mod file:
replace github.com/rsc/qr => rsc.io/qr v0.1.0
Then clean the go.mod.
2. Update the direct dependency github.com/mdp/qrterminal. This problem does not exist in the latest version v3.0.0 of github.com/mdp/qrterminal.
https://github.com/mdp/qrterminal/blob/v3.0.0/qrterminal.go#L7
package qrterminal
import (
"io"
"strings"
"rsc.io/qr"
)
