Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump go mod version back down to 1.20 #13

Closed
nathanperkins opened this issue Mar 11, 2024 · 3 comments
Closed

Bump go mod version back down to 1.20 #13

nathanperkins opened this issue Mar 11, 2024 · 3 comments

Comments

@nathanperkins
Copy link
Contributor

nathanperkins commented Mar 11, 2024
edited
Loading

tl;dr - revert the go mod version from 1.21 back to 1.20 to avoid this module forcing downstream modules to upgrade

In 1.21, the go tooling introduced new go mod management behavior where a repo's go mod version, like go 1.20 will automatically be upgraded if it is less than the minimum go mod version of any of its dependencies.

For example, if I have a module using 1.20 and I import a module which uses 1.21, running go mod tidy will update my module to 1.21.

Unfortunately, this makes it hard for us to maintain stable releases because bumping any dependency to resolve a CVE may force us to bump the go mod version, which introduces potentially undesirable changes to the runtime behavior. We are seeing that in our projects which import mdlayher/socket right now.

The go team is considering a proposal which can mitigate this issue, and we are waiting to see when it will be delivered. We are hoping for 1.23.

Until then, could we set this project's go.mod version back to 1.20 so that importing this repo doesn't force other projects to upgrade? If there is no 1.21+ feature used in the repo, then this should essentially be a no-op.
nathanperkins added a commit to nathanperkins/socket that referenced this issue Mar 11, 2024
@nathanperkins
Revert go mod version to 1.20
b48f636 
This avoids new 1.21 go mod management behavior which automatically
upgrades a module's go mod version based on dependencies.

See mdlayher#13 for discussion
@nathanperkins nathanperkins mentioned this issue Mar 11, 2024
Merged
mdlayher pushed a commit that referenced this issue Mar 11, 2024
@nathanperkins
Revert go mod version to 1.20 (#14)
9312637 
This avoids new 1.21 go mod management behavior which automatically
upgrades a module's go mod version based on dependencies.

See #13 for discussion
@nathanperkins
Copy link
Contributor Author

@mdlayher will this automatically release as a new version or do we need to manually tag?

@nathanperkins
Copy link
Contributor Author

Thank you for merging the fix! :)

@mdlayher
Copy link
Owner

No problem, thank you for the pr! I will cut a tag tomorrow with a script but you can always pull at latest for gomod.

@nathanperkins nathanperkins mentioned this issue Mar 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mdlayher @nathanperkins