diff --git a/DEVELOPING.md b/DEVELOPING.md index d799900517..d138368c5b 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -49,12 +49,11 @@ go run ./tools/ ## Dependency management -Dependencies are managed using [Modules](https://github.com/golang/go/wiki/Modules) and are tracked in the repository across three files: +Dependencies are managed using [Modules](https://github.com/golang/go/wiki/Modules) and are tracked in the repository across two files: - [go.mod](go.mod): Contains a list of direct dependencies, and some indirect dependencies (see [why](https://github.com/golang/go/wiki/Modules#why-does-go-mod-tidy-record-indirect-and-test-dependencies-in-my-gomod)). - [go.sum](go.sum): Contains hashes for dependencies that are used for verifying downloaded dependencies. -- [go.list](go.list): A file that is unique to this Go repository, containing the output of `go list -m all`, and captures all direct and indirect dependencies and their versions used in builds and tests within this repository. This is not a lock file but instead it helps us track over time which versions are being used for builds and tests, and to see when that changes in PR diffs. -### Adding new dependencies +### Adding/Removing dependencies Add new dependencies by adding the import paths to the code. The next time you execute a Go command the tool will update the `go.mod` and `go.sum` files. @@ -64,11 +63,8 @@ To add a specific version of a dependency use `go get`: go get @ ``` -Go modules files track the minimum dependency required, not the exact dependency version that will be used. To validate the version of the dependency being used update the `go.list` file by running `go mod -m all > go.list`. - -Before opening a PR make sure to run these commands to tidy the module files: +Before opening a PR make sure to run following command to tidy the module file. It will keep the go.* files tidy: - `go mod tidy` -- `go list -m all > go.list` ### Updating a dependency @@ -77,23 +73,10 @@ Update an existing dependency by using `go get`: ``` go get @ ``` - -Go modules files track the minimum dependency required, not the exact dependency version that will be used. To validate the version of the dependency being used update the `go.list` file by running `go mod -m all > go.list`. - Before opening a PR make sure to run these commands to tidy the module files: -``` -go mod tidy -go list -m all > go.list -``` - -### Removing a dependency - -Remove a dependency by removing all import paths from the code, then use the following commands to remove any unneeded direct or indirect dependencies: - -``` -go mod tidy -go list -m all > go.list -``` + ``` + go mod tidy + ``` Note: `go list -m all` may show that the dependency is still being used. It will be possible that the dependency is still an indirect dependency. If it's important to understand why the dependency is still being used, use `go mod why /...` and `go mod graph | grep ` to understand which modules are importing it. @@ -101,9 +84,10 @@ Note: `go list -m all` may show that the dependency is still being used. It will When updating or adding dependencies it's critical that we review what the changes are in those dependencies that we are introducing into our builds. When -dependencies change the diff for the `go.list` file may be too complex to -understand. In those situations use the [golistcmp] tool to get a list of -changing modules, as well as GitHub links for easy access to diff review. +dependencies change the diff for the `go.mod` file may be complex to +understand. In that situation check each new or upgraded dependency, +and check each dependencies code diffs to see what is being imported. +Always treat code being imported as code written that needs review. ``` git checkout master diff --git a/go.list b/go.list deleted file mode 100644 index b90a8173f3..0000000000 --- a/go.list +++ /dev/null @@ -1,107 +0,0 @@ -cloud.google.com/go v0.84.0 -cloud.google.com/go/firestore v1.5.0 -cloud.google.com/go/storage v1.10.0 -firebase.google.com/go v3.12.0+incompatible -github.com/BurntSushi/toml v0.3.1 -github.com/Masterminds/squirrel v1.5.0 -github.com/adjust/goautoneg v0.0.0-20150426214442-d788f35a0315 -github.com/ajg/form v0.0.0-20160822230020-523a5da1a92f -github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d -github.com/aws/aws-sdk-go v1.39.5 -github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 -github.com/davecgh/go-spew v1.1.1 -github.com/elazarl/go-bindata-assetfs v1.0.0 -github.com/fatih/structs v1.0.0 -github.com/gavv/monotime v0.0.0-20161010190848-47d58efa6955 -github.com/getsentry/raven-go v0.0.0-20160805001729-c9d3cc542ad1 -github.com/go-chi/chi v4.0.3+incompatible -github.com/go-errors/errors v0.0.0-20150906023321-a41850380601 -github.com/golang-jwt/jwt v3.2.1+incompatible -github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e -github.com/golang/protobuf v1.5.2 -github.com/google/go-cmp v0.5.6 -github.com/google/go-querystring v0.0.0-20160401233042-9235644dd9e5 -github.com/google/uuid v1.2.0 -github.com/googleapis/gax-go/v2 v2.0.5 -github.com/gorilla/schema v1.1.0 -github.com/graph-gophers/graphql-go v1.3.0 -github.com/guregu/null v2.1.3-0.20151024101046-79c5bd36b615+incompatible -github.com/hashicorp/golang-lru v0.5.1 -github.com/holiman/uint256 v1.2.0 -github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c -github.com/hpcloud/tail v1.0.0 -github.com/imkira/go-interpol v1.1.0 -github.com/jarcoal/httpmock v0.0.0-20161210151336-4442edb3db31 -github.com/jmespath/go-jmespath v0.4.0 -github.com/jmoiron/sqlx v1.2.0 -github.com/klauspost/compress v0.0.0-20161106143436-e3b7981a12dd -github.com/klauspost/cpuid v0.0.0-20160302075316-09cded8978dc -github.com/klauspost/crc32 v0.0.0-20161016154125-cb6bfca970f6 -github.com/kr/pretty v0.1.0 -github.com/kr/text v0.1.0 -github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 -github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 -github.com/lib/pq v1.2.0 -github.com/magiconair/properties v1.5.4 -github.com/manucorporat/sse v0.0.0-20160126180136-ee05b128a739 -github.com/matttproud/golang_protobuf_extensions v1.0.1 -github.com/mitchellh/go-homedir v1.1.0 -github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366 -github.com/moul/http2curl v0.0.0-20161031194548-4e24498b31db -github.com/onsi/ginkgo v1.7.0 -github.com/onsi/gomega v1.4.3 -github.com/opentracing/opentracing-go v1.1.0 -github.com/pelletier/go-toml v1.9.0 -github.com/pkg/errors v0.9.1 -github.com/pmezard/go-difflib v1.0.0 -github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829 -github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 -github.com/prometheus/common v0.2.0 -github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1 -github.com/rs/cors v0.0.0-20160617231935-a62a804a8a00 -github.com/rs/xhandler v0.0.0-20160618193221-ed27b6fd6521 -github.com/rubenv/sql-migrate v0.0.0-20190717103323-87ce952f7079 -github.com/segmentio/go-loggly v0.5.1-0.20171222203950-eb91657e62b2 -github.com/sergi/go-diff v0.0.0-20161205080420-83532ca1c1ca -github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 -github.com/sirupsen/logrus v1.4.1 -github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94 -github.com/spf13/cobra v0.0.0-20160830174925-9c28e4bbd74e -github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431 -github.com/spf13/pflag v0.0.0-20161005214240-4bd69631f475 -github.com/spf13/viper v0.0.0-20150621231900-db7ff930a189 -github.com/stellar/go -github.com/stellar/go-xdr v0.0.0-20211103144802-8017fc4bdfee -github.com/stellar/throttled v2.2.3-0.20190823235211-89d75816f59d+incompatible -github.com/stretchr/objx v0.3.0 -github.com/stretchr/testify v1.7.0 -github.com/tyler-smith/go-bip39 v0.0.0-20180618194314-52158e4697b8 -github.com/valyala/bytebufferpool v1.0.0 -github.com/valyala/fasthttp v0.0.0-20170109085056-0a7f0a797cd6 -github.com/xdrpp/goxdr v0.1.1 -github.com/xeipuuv/gojsonpointer v0.0.0-20151027082146-e0fe6f683076 -github.com/xeipuuv/gojsonreference v0.0.0-20150808065054-e02fc20de94c -github.com/xeipuuv/gojsonschema v0.0.0-20161231055540-f06f290571ce -github.com/yalp/jsonpath v0.0.0-20150812003900-31a79c7593bb -github.com/yudai/gojsondiff v0.0.0-20170107030110-7b1b7adf999d -github.com/yudai/golcs v0.0.0-20150405163532-d1c525dea8ce -go.opencensus.io v0.23.0 -golang.org/x/crypto v0.0.0-20211202192323-5770296d904e -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 -golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914 -golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 -golang.org/x/text v0.3.6 -golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 -google.golang.org/api v0.50.0 -google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84 -google.golang.org/grpc v1.38.0 -google.golang.org/protobuf v1.26.0 -gopkg.in/fsnotify.v1 v1.4.7 -gopkg.in/gavv/httpexpect.v1 v1.0.0-20170111145843-40724cf1e4a0 -gopkg.in/gorp.v1 v1.7.1 -gopkg.in/square/go-jose.v2 v2.4.1 -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 -gopkg.in/tylerb/graceful.v1 v1.2.13 -gopkg.in/yaml.v2 v2.2.8 -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c diff --git a/golist.sh b/golist.sh deleted file mode 100755 index 740b390ab4..0000000000 --- a/golist.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/env bash - -go list -f '{{with .Module}}{{.Path}} {{.Version}}{{end}}' all | LC_ALL=C sort -u diff --git a/gomod.sh b/gomod.sh index c894870623..2c83bc1c1f 100755 --- a/gomod.sh +++ b/gomod.sh @@ -4,5 +4,4 @@ set -e go mod tidy git diff --exit-code -- go.mod || (echo "Go file go.mod is dirty, update the file with 'go mod tidy' locally." && exit 1) git diff --exit-code -- go.sum || (echo "Go file go.sum is dirty, update the file with 'go mod tidy' locally." && exit 1) -diff -u go.list <(./golist.sh) || (echo "Go dependencies have changed, update the go.list file with './golist.sh > go.list' locally." && exit 1) go mod verify || (echo "One or more Go dependencies failed verification. Either a version is no longer available, or the author or someone else has modified the version so it no longer points to the same code." && exit 1)