yorc icon indicating copy to clipboard operation
yorc copied to clipboard

Published 20 hours ago verified publisher icon ystia

Potential collision and risk from indirect dependence "github.com/gotestyourself/gotestyourself"

Open KateGo520 opened this issue 4 years ago • 3 comments

Background

Repo ystia/yorc used the old path to import gotestyourself indirectly. This caused that github.com/gotestyourself/gotestyourself and gotest.tools coexist in this repo: https://github.com/ystia/yorc/blob/develop/go.mod (Line 52 & 118)

github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
gotest.tools v2.2.0+incompatible // indirect

That’s because the gotestyourself has already renamed it’s import path from "github.com/gotestyourself/gotestyourself" to "gotest.tools". When you use the old path "github.com/gotestyourself/gotestyourself" to import the gotestyourself, will reintroduces gotestyourself through the import statements "import gotest.tools" in the go source file of gotestyourself.

https://github.com/gotestyourself/gotest.tools/blob/v2.2.0/fs/example_test.go#L8

package fs_test
import (
	…
	"gotest.tools/assert"
	"gotest.tools/assert/cmp"
	"gotest.tools/fs"
	"gotest.tools/golden"
)

"github.com/gotestyourself/gotestyourself" and "gotest.tools" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

Add replace statement in the go.mod file:

replace github.com/gotestyourself/gotestyourself => gotest.tools v2.3.0

Then clean the go.mod.

KateGo520 avatar Aug 12 '20 23:08 KateGo520

@stebenoist @loicalbertin Could you help me review this issue? Thx :p

KateGo520 avatar Aug 12 '20 23:08 KateGo520

Hi @KateGo520,

Thanks for opening this issue!

Repositories renaming is such painful for users!

Are you actually facing an issue on Yorc or is this really just about potential risks & problems?

Actually this dependency is transitively coming from a old version of Hashicorp Vault itself using an old version of github.com/ory/dockertest.

Using

replace github.com/gotestyourself/gotestyourself => gotest.tools v2.2.0

Is not that simple as we will face the pkg used for two different module paths issue so we will probably need to replace to another version like

replace github.com/gotestyourself/gotestyourself => gotest.tools v2.3.0

In fact github.com/ory/dockertest recently fixes in its v3 the issue by now using gotest.tools/v3. To properly fix this, Vault should be updated to use github.com/ory/dockertest/v3 and we should upgrade to a newer version of Vault (which is planned in #619).

loicalbertin avatar Aug 13 '20 10:08 loicalbertin

Thank you for your reply! @loicalbertin Updating to a newer version of Vault sounds good to me.

KateGo520 avatar Aug 13 '20 10:08 KateGo520