renovate icon indicating copy to clipboard operation
renovate copied to clipboard

Published 20 hours ago verified publisher icon renovatebot

Ignore retracted versions of go dependencies

Open secustor opened this issue 3 years ago • 3 comments

What would you like Renovate to be able to do?

Currently Renovate picks simply the tags of a dependency and uses semver to get the highest version.
In case the highest version is retracted this leads to unwanted upgrades.

Example: https://pkg.go.dev/k8s.io/[email protected]?tab=versions https://github.com/kubernetes/client-go/blob/v1.5.2/go.mod

If you have any ideas on how this should be implemented, please tell us here.

  1. Get versions as it is done currently
  2. Fetch go.mod of highest semantic version
  3. extract retract directive https://go.dev/ref/mod#go-mod-file-retract
  4. Remove matching tags

Is this a feature you are interested in implementing yourself?

Maybe

secustor avatar Dec 08 '21 14:12 secustor

Is this problem mostly avoided if GOPROXY is in use?

rarkins avatar Dec 08 '21 16:12 rarkins

No, shouldn't make any difference as these proxies return all available versions even the retracted ones.

Regardless, the implementation will be easier when using proxies as we can download the go.mod directly from the same API as the versions are queried.
https://proxy.golang.org/k8s.io/client-go/@v/v1.5.2.mod

secustor avatar Dec 08 '21 20:12 secustor

As a workaround for the Kubernetes client-go library, I'm using this config to manually ignore those versions, in case anyone else is looking for something like this:

{
  "packageRules": [
    {
      "matchPackageNames": ["k8s.io/client-go"],
      "allowedVersions": "!/1\\.(4\\.0|5\\.0|5\\.1|5\\.2)$/"
    }
  ]
}

sarahhodne avatar Jan 25 '22 10:01 sarahhodne

I'm running into this problem as well now. In case it helps, the version-retraction mechanism in go is explained here:

https://go.dev/ref/mod#go-mod-file-retract

It seems like the rollback feature should be in play here, but (clearly) isn't working for some reason.

cevich avatar Oct 18 '22 17:10 cevich

Hi there,

Get your issue fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible.

Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this.

To get started, please read our guide on creating a minimal reproduction.

We may close the issue if you, or someone else, haven't created a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment.

Good luck,

The Renovate team

github-actions[bot] avatar Nov 25 '22 14:11 github-actions[bot]