go.mod: add replace rule to prevent unwanted updateds of grpc and jwt-go

This replace rule is to prevent unwanted updates of grpc and jwt-go. When updating
spf13/cobra, we noticed that google.golang.org/grpc got updated.

Doing a search to find which modules (note here that `go mod graph` only looks
at dependencies from a `go modules` perspective, and not all the (current version)
of our dependencies use go modules).

And I found that the only _modules_ depending on it are `github.com/spf13/viper`
and `github.com/grpc-ecosystem/grpc-gateway`:

```bash
$ go mod graph | grep ' google.golang.org/grpc'
github.com/spf13/viper@v1.4.0 google.golang.org/grpc@v1.21.0
github.com/grpc-ecosystem/grpc-gateway@v1.9.0 google.golang.org/grpc@v1.19.0
```

Of those, `github.com/grpc-ecosystem/grpc-gateway` is a dependency of
`github.com/spf13/viper`:

```bash
$ go mod graph | grep ' github.com/grpc-ecosystem/grpc-gateway'
github.com/spf13/viper@v1.4.0 github.com/grpc-ecosystem/grpc-gateway@v1.9.0
```

So looking at that one, it's a dependency of cobra:

```bash
$ go mod graph | grep ' github.com/spf13/viper@v1.4.0'
github.com/spf13/cobra@v1.0.0 github.com/spf13/viper@v1.4.0
```

Ironically, while both `github.com/spf13/viper` and `github.com/grpc-ecosystem/grpc-gateway`,
depend on `google.golang.org/grpc` and (through their `go.mod`) are responsible
for `go mod` to update the dependency version of grpc, none of them are used:

```bash
cat vendor/modules.txt | grep github.com/spf13/viper
cat vendor/modules.txt | grep github.com/grpc-ecosystem/grpc-gateway
```

Unfortunately, `go modules` looks at `go.mod` to determine the *minimum version*
required; _even if the parts of the modules specifying it in the `go.mod` are unused_.

This patch adds a `replace` rule in go.mod to prevent updating grpc based on
other dependencies that _declare_ `google.golang.org/grpc` as a dependency,
but are not used and, hence, should not influence the minumum version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn 2021-04-23 18:34:53 +02:00
parent 02e2231e60
commit f9c1b86feb
No known key found for this signature in database
GPG Key ID: 76698F39D527CE8C
2 changed files with 15 additions and 1 deletions

13
go.mod
View File

@ -38,8 +38,21 @@ require (
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff
// when updating google.golang.org/cloud, update (or remove) the replace
// rule for google.golang.org/grpc accordingly.
google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8
google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a // indirect
gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789
gopkg.in/yaml.v2 v2.4.0
)
// Prevent unwanted updates of grpc. In our codebase, it's a dependency of
// google.golang.org/cloud. However, github.com/spf13/viper (which is an indirect
// dependency of github.com/spf13/cobra) declares a more recent version. Viper
// is not used in the codebase, but go modules uses the go.mod of *all* dependen-
// cies to determine the minimum version of a module, but does *not* check if that
// depdendency's code using the dependency is actually used.
//
// In our case, github.com/spf13/viper occurs as a dependency, but is unused,
// so we can ignore the minimum versions of grpc and jwt-go that it specifies.
replace google.golang.org/grpc => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a

3
vendor/modules.txt vendored
View File

@ -238,7 +238,7 @@ google.golang.org/cloud
google.golang.org/cloud/internal
google.golang.org/cloud/internal/opts
google.golang.org/cloud/storage
# google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a
# google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a
## explicit
google.golang.org/grpc
google.golang.org/grpc/codes
@ -255,3 +255,4 @@ gopkg.in/check.v1
# gopkg.in/yaml.v2 v2.4.0
## explicit
gopkg.in/yaml.v2
# google.golang.org/grpc => google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a