Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go.mod: upgrade to the highest patch versions #1210

Closed
wants to merge 1 commit into from
Closed

go.mod: upgrade to the highest patch versions #1210

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
76 changes: 44 additions & 32 deletions go.mod
View file
Open in desktop
Expand Up @@ -6,30 +6,34 @@ require (
cloud.google.com/go/pubsub v1.4.0
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
github.com/DataDog/datadog-agent/pkg/obfuscate v0.0.0-20211129110424-6491aa3bf583
github.com/DataDog/datadog-go v4.8.3+incompatible // indirect
github.com/DataDog/datadog-go/v5 v5.0.2
github.com/DataDog/gostackparse v0.5.0
github.com/DataDog/sketches-go v1.0.0
github.com/DataDog/zstd v1.3.5 // indirect
github.com/DataDog/zstd v1.3.8 // indirect
github.com/Microsoft/go-winio v0.5.2 // indirect
github.com/Microsoft/hcsshim v0.8.9 // indirect
github.com/PuerkitoBio/goquery v1.5.1 // indirect
github.com/Shopify/sarama v1.22.0
github.com/Shopify/sarama v1.22.1
github.com/Shopify/toxiproxy v2.1.4+incompatible // indirect
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4 // indirect
github.com/andybalholm/brotli v1.0.4 // indirect
github.com/armon/go-metrics v0.3.10 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/aws/aws-sdk-go v1.34.28
github.com/aws/aws-sdk-go v1.34.34
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit confused here. You say (in the PR description):

[...] to avoid introducing bugged versions when a user dependency gets updated due to a dd-trace-go upgrade.

Do you mean to say in situations where there is no avoiding the upgrade of a dependency? I'll assume so, because otherwise we want to avoid dd-trace-go causing upgrades at all costs and we should be keeping the minimum supported versions here.

Lastly, I just want to say that in some situations, some people don't want the latest patch version. We have specific situations like this ourselves internally - where patch versions introduce issues so we're not upgrading. This is of course an exceptional situation, but I just want to bring awareness to it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean to say in situations where there is no avoiding the upgrade of a dependency? I'll assume so, because otherwise we want to avoid dd-trace-go causing upgrades at all costs and we should be keeping the minimum supported versions here.

I talk about the case where the user dependency gets updated due to dd-trace-go.
If we take the example of what happened in dd-go:

  1. dd-go was using sqlx v1.2.0
  2. dd-trace-go was using sqlx v1.3.0 (bugged)
  3. so dd-go resulted in using sqlx v1.3.0, whose bugs were fortunately caught by their integration tests.

Lastly, I just want to say that in some situations, some people don't want the latest patch version. We have specific situations like this ourselves internally - where patch versions introduce issues so we're not upgrading. This is of course an exceptional situation, but I just want to bring awareness to it.

A patch version introducing new issues? 🤔

We just need to decide what to do:

  1. Keeping the lowest even if they are bugged (ie. they have higher patch release versions available) and let the user upgrade itself. The issue I see with this with the previous example is that maybe it won't be caught by any test and lead to run time/production issues pointing.
  2. Or like in this PR where we upgrade to the highest patch release (every time we release?).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Julio-Guerra regarding the sqlx v1.3.0, just to re-iterate here so it's not lost in internal Slack, I intended to downgrade all dependencies to their lowest working, non-vulnerable versions in #1188, but I missed that sqlx v1.2.0 was the lowest listed on pkg.go.dev and still passes our tests. So the fact that it was set to v1.3.0 was just a mistake on my end, and isn't directly related to this issue.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Julio-Guerra I think we need to always keep the lowest possible supported version, regardless of its state (bugged or not), and let the user have full control of which version they want to use.

@nsrip-dd thanks for following up. Perhaps a short script can be written to do this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't we agree that we should have in our go.mod file the highest non vulnerable versions (of the lowest supported one)? If that's the case, then the same logic applies to patch versions for the same reasons.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DataDog/profiling-go, @DataDog/tracing-go, @DataDog/appsec-go: let's get straight to the point: the current go.mod update rule is stated at https://github.com/DataDog/dd-trace-go/blob/julio.guerra/go-mod-patch-updates/CONTRIBUTING.md?plain=1#L43 and says "prefer the minimum secure versions of any modules rather than the latest versions".

What I propose is adapt this rule so that any new dependency added to go.mod should also be upgraded to its highest patch releases [of its minimum secure version]. The following dd-trace-go releases could then keep the existing go.mod file dependencies the way they are regardless of new patch versions. But newly added dependencies should be again updated to their highest patch versions of their "the minimum secure versions".

Copy link
Member

@felixge felixge Mar 11, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The agreement from the last guild meeting (according to the notes) was this:

We’ll try to use minimal versions for all dependencies that compiles against contrib and doesn’t pop up vulnerability warnings on GitHub.

@Julio-Guerra I would say we should treat critical bugs the same way as vulnerabilities: I.e. we should upgrade to the next higher version of the dependency that fixes the bug.

I think we need to always keep the lowest possible supported version, regardless of its state (bugged or not), and let the user have full control of which version they want to use.

@gbbr users retain full control via the replace directive in any case.

Further I think we should not assume responsibility for implicitly upgrading modules that are also depended on by user applications. This behavior is inherent to the Go module ecosystem and users need to verify the indirect impacts of any module upgrade, not just dd-trace-go.

Regardless of what we decide, I think we need to write up our exact policy somewhere and agree to it. If somebody wants to take a shot a this, let me know. If not I can put it on my plate, but I won't be able to deliver it until next week or later (we have R&D week next week). Edit: Our CONTRIBUTING.md file has our policy. We probably just need to clarify the situation if a version has "critical" bugs (e.g. those breaking dd-go).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Julio) Didn't we agree that we should have in our go.mod file the highest non vulnerable versions (of the lowest supported one)? If that's the case, then the same logic applies to patch versions for the same reasons.

The same logic doesn't apply for patch versions. Patch versions fix bugs that are not necessarily vulnerabilities. Vulnerabilities have a special status in the wider software community that garden-variety bugs don't have. It is not our responsibility to force an upgrade to fix any random bug.

(Felix) @Julio-Guerra I would say we should treat critical bugs the same way as vulnerabilities: I.e. we should upgrade to the next higher version of the dependency that fixes the bug.

I think this is OK. We don't want to cause an upgrade that totally breaks a user application. However we need to be careful how we define "critical". Are they ones that break dd-trace-go? Ones that just flat don't work for some reason? Ones that are retracted?

(Felix) Further I think we should not assume responsibility for implicitly upgrading modules that are also depended on by user applications. This behavior is inherent to the Go module ecosystem and users need to verify the indirect impacts of any module upgrade, not just dd-trace-go.

Yes, as far as I'm concerned, the goal is to allow the broadest range of versions to the user, with the least likelihood of forcing an update, while ensuring if we do force an update it does not introduce a vulnerability. I think this policy achieves that and fits well with Go's "minimum version selection" principle

github.com/aws/aws-sdk-go-v2 v1.0.0
github.com/aws/aws-sdk-go-v2/config v1.0.0
github.com/aws/aws-sdk-go-v2/service/sqs v1.0.0
github.com/aws/aws-sdk-go-v2/service/sso v1.0.0 // indirect
github.com/aws/smithy-go v1.11.0
github.com/aws/smithy-go v1.11.1
github.com/beorn7/perks v1.0.1 // indirect
github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d
github.com/cenkalti/backoff/v3 v3.0.0 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1 // indirect
github.com/confluentinc/confluent-kafka-go v1.4.0
github.com/confluentinc/confluent-kafka-go v1.4.2
github.com/containerd/containerd v1.3.4 // indirect
github.com/containerd/continuity v0.0.0-20200709052629-daa8e1ccc0bc // indirect
github.com/denisenkom/go-mssqldb v0.11.0
Expand All @@ -48,22 +52,23 @@ require (
github.com/fatih/structs v1.1.0 // indirect
github.com/frankban/quicktest v1.13.0 // indirect
github.com/garyburd/redigo v1.6.3
github.com/gin-gonic/gin v1.7.0
github.com/gin-gonic/gin v1.7.7
github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8
github.com/go-chi/chi v1.5.0
github.com/go-chi/chi v1.5.4
github.com/go-chi/chi/v4 v4.0.0-rc1
github.com/go-chi/chi/v5 v5.0.0
github.com/go-chi/chi/v5 v5.0.7
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1 // indirect
github.com/go-ini/ini v1.25.4 // indirect
github.com/go-kit/kit v0.9.0 // indirect
github.com/go-ldap/ldap v3.0.2+incompatible // indirect
github.com/go-ldap/ldap/v3 v3.1.10 // indirect
github.com/go-pg/pg/v10 v10.0.0
github.com/go-playground/validator/v10 v10.4.1 // indirect
github.com/go-pg/pg/v10 v10.0.7
github.com/go-playground/validator/v10 v10.4.2 // indirect
github.com/go-redis/redis v6.15.9+incompatible
github.com/go-redis/redis/v7 v7.1.0
github.com/go-redis/redis/v8 v8.0.0
github.com/go-sql-driver/mysql v1.6.0
github.com/go-stack/stack v1.8.1 // indirect
github.com/go-test/deep v1.0.2 // indirect
github.com/gocql/gocql v0.0.0-20220224095938-0eacd3183625
github.com/gofiber/fiber/v2 v2.11.0
Expand All @@ -72,15 +77,16 @@ require (
github.com/golang/mock v1.4.3 // indirect
github.com/golang/protobuf v1.5.2
github.com/golang/snappy v0.0.4 // indirect
github.com/gomodule/redigo v1.7.0
github.com/gomodule/redigo v1.7.2
github.com/google/martian/v3 v3.0.0 // indirect
github.com/google/pprof v0.0.0-20210423192551-a2663126120b
github.com/google/uuid v1.3.0
github.com/gorilla/context v1.1.1 // indirect
github.com/gorilla/mux v1.5.0
github.com/gorilla/mux v1.7.4
github.com/graph-gophers/graphql-go v1.3.0
github.com/grpc-ecosystem/grpc-gateway v1.15.2 // indirect
github.com/hashicorp/consul/api v1.0.0
github.com/hashicorp/consul/api v1.0.1
github.com/hashicorp/consul/internal v0.1.0 // indirect
github.com/hashicorp/consul/sdk v0.7.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
Expand All @@ -89,7 +95,7 @@ require (
github.com/hashicorp/go-kms-wrapping/entropy v0.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-plugin v1.4.3 // indirect
github.com/hashicorp/go-retryablehttp v0.6.6 // indirect
github.com/hashicorp/go-retryablehttp v0.6.8 // indirect
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
github.com/hashicorp/go-secure-stdlib/base62 v0.1.1 // indirect
github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect
Expand All @@ -103,27 +109,31 @@ require (
github.com/hashicorp/mdns v1.0.1 // indirect
github.com/hashicorp/memberlist v0.1.6 // indirect
github.com/hashicorp/serf v0.8.6 // indirect
github.com/hashicorp/vault/api v1.1.0
github.com/hashicorp/vault/sdk v0.1.14-0.20200519221838-e0cfd64bc267
github.com/hashicorp/vault/api v1.1.1
github.com/hashicorp/vault/sdk v0.2.1
github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
github.com/jackc/pgx/v4 v4.14.0
github.com/jinzhu/gorm v1.9.1
github.com/jinzhu/now v1.1.3 // indirect
github.com/jinzhu/gorm v1.9.16
github.com/jinzhu/now v1.1.4 // indirect
github.com/jmoiron/sqlx v1.2.0
github.com/json-iterator/go v1.1.12 // indirect
github.com/jstemmer/go-junit-report v0.9.1 // indirect
github.com/julienschmidt/httprouter v1.1.0
github.com/julienschmidt/httprouter v1.2.0
github.com/klauspost/compress v1.14.4 // indirect
github.com/klauspost/crc32 v1.2.0 // indirect
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/labstack/echo v3.3.10+incompatible
github.com/labstack/echo/v4 v4.2.0
github.com/labstack/echo/v4 v4.2.2
github.com/labstack/gommon v0.3.1 // indirect
github.com/leodido/go-urn v1.2.1 // indirect
github.com/lib/pq v1.10.2
github.com/mattn/go-colorable v0.1.12 // indirect
github.com/mattn/go-sqlite3 v1.14.12
github.com/miekg/dns v1.1.25
github.com/miekg/dns v1.1.46
github.com/mitchellh/cli v1.1.0 // indirect
github.com/mitchellh/copystructure v1.0.0 // indirect
github.com/mitchellh/mapstructure v1.4.2 // indirect
github.com/mitchellh/mapstructure v1.4.3 // indirect
github.com/morikuni/aec v1.0.0 // indirect
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223 // indirect
github.com/onsi/gomega v1.16.0 // indirect
Expand All @@ -139,25 +149,26 @@ require (
github.com/prometheus/procfs v0.0.8 // indirect
github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/segmentio/kafka-go v0.4.29
github.com/segmentio/kafka-go v0.4.30
github.com/smartystreets/gunit v1.1.3 // indirect
github.com/stretchr/testify v1.7.0
github.com/syndtr/goleveldb v1.0.0
github.com/tidwall/assert v0.1.0 // indirect
github.com/tidwall/btree v1.1.0 // indirect
github.com/tidwall/buntdb v1.2.0
github.com/tidwall/buntdb v1.2.9
github.com/tidwall/grect v0.1.4 // indirect
github.com/tidwall/rtred v0.1.2 // indirect
github.com/tidwall/rtree v1.3.1 // indirect
github.com/tinylib/msgp v1.1.2
github.com/tinylib/msgp v1.1.6
github.com/twitchtv/twirp v8.1.1+incompatible
github.com/ugorji/go v1.1.14 // indirect
github.com/urfave/negroni v1.0.0
github.com/valyala/fasthttp v1.32.0 // indirect
github.com/vmihailenco/msgpack/v5 v5.3.4 // indirect
github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
github.com/vmihailenco/tagparser v0.1.2 // indirect
github.com/zenazn/goji v1.0.1
go.mongodb.org/mongo-driver v1.5.1
go.opencensus.io v0.22.4 // indirect
go.mongodb.org/mongo-driver v1.5.4
go.opencensus.io v0.22.6 // indirect
go.uber.org/atomic v1.9.0 // indirect
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect
Expand All @@ -167,22 +178,23 @@ require (
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
golang.org/x/tools v0.1.9 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
google.golang.org/api v0.29.0
google.golang.org/appengine v1.6.6 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20200726014623-da3ae01ef02d // indirect
google.golang.org/grpc v1.32.0
google.golang.org/grpc v1.33.3
google.golang.org/protobuf v1.27.1
gopkg.in/alecthomas/kingpin.v2 v2.2.6 // indirect
gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
gopkg.in/jinzhu/gorm.v1 v1.9.1
gopkg.in/jinzhu/gorm.v1 v1.9.2
gopkg.in/olivere/elastic.v3 v3.0.75
gopkg.in/olivere/elastic.v5 v5.0.84
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
gorm.io/driver/mysql v1.0.1
gorm.io/driver/postgres v1.0.0
gorm.io/driver/sqlserver v1.0.4
gorm.io/gorm v1.20.6
gorm.io/gorm v1.20.12
gotest.tools/v3 v3.0.2 // indirect
honnef.co/go/tools v0.0.1-2020.1.4 // indirect
k8s.io/apimachinery v0.17.0
Expand Down