-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/go: 'go mod graph' doesn't show module's replacement #46365
Comments
|
Apologies if this has been raised before. I did a quick search, but didn't find anything. If this is the expected behaviour then perhaps it is just a case of documenting the behaviour.... |
As a side note, I have a suspecion that some vunerabilty checking tools are using 'go mod graph' to find dependencies and check against known CVEs. Sounds like this is not the way to go... |
Yeah, The rate of false-positives (for modules that are present in the module graph but not otherwise relevant to the packages or tests in the main module) would be extremely high. |
@bcmills do you think it is worth updating the graph command line documentation here go/src/cmd/go/internal/modcmd/graph.go Line 24 in 2ebe77a
to say something like:
I'm happy to raise a PR if you think this is the way forward and we can come up with a suitable wording. |
@bvwells, “(with replacements not applied)” is not accurate. The replacements are applied. They replace the source code (and So if you (I know that this behavior is not particularly intuitive, but it's also difficult to fix to match folks' intuition without breaking other things. I'm planning to revamp |
@bcmills Do you mean that
|
@sify21 Yes, The term “build list” is a bit of a misnomer, but it has a consistent meaning in the documentation. Per https://golang.org/ref/mod#glos-build-list:
|
@bcmills Oh I see, do you know any other method to get those relevant modules? Or is it that different commands have different relevent modules? |
That's getting a bit off-topic for this issue. (See #42504 instead.) |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Not completely sure whether this is an issue or what the expected behaviour is here. I've tried to describe the issue here
https://github.com/bvwells/module-graph
This is to clarify the behaviour of 'go mod graph' when the replace is used in a module. The example adds a replace in the module for a dependency. After doing 'go mod tidy' the only version seen in the sum file is the version defined in the replace statement.
Then run 'go mod graph' to output the module graph.
What did you expect to see?
The documentation states:
See https://golang.org/ref/mod#go-mod-graph
I was expecting to see the dependency gopkg.in/yaml.v3 replaced with the version gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b.
What did you see instead?
The original dependency versions of gopkg.in/yaml.v3 were seen in the graph.
Apologies if I've misunderstood the documentation.
The text was updated successfully, but these errors were encountered: