Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade module depencies version #249

Open
cboitel opened this issue Nov 19, 2021 · 3 comments
Open

Upgrade module depencies version #249

cboitel opened this issue Nov 19, 2021 · 3 comments

Comments

@cboitel
Copy link

cboitel commented Nov 19, 2021
edited

While reviewing dependencies on some other poject, i found this one was somewhat suffering from a recurrent update policy which is good security practice in general.

a go get -u reveals the following updates are pending:

-       github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da
+       github.com/armon/go-metrics v0.3.10

-       github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c
+       github.com/google/btree v1.0.1

-       github.com/hashicorp/go-msgpack v0.5.3
+       github.com/hashicorp/go-msgpack v1.1.5

-       github.com/hashicorp/go-multierror v1.0.0
+       github.com/hashicorp/go-multierror v1.1.1

-       github.com/hashicorp/go-sockaddr v1.0.0
+       github.com/hashicorp/go-sockaddr v1.0.2

-       github.com/miekg/dns v1.1.26
+       github.com/miekg/dns v1.1.43

-       github.com/stretchr/testify v1.2.2
+       github.com/stretchr/testify v1.4.0
@dnephin
Copy link
Contributor

dnephin commented Nov 22, 2021

Thank you for your interest in the maintenance of memberlist!

Since memberlist is a library (not an application), and Go modules use minimum version selection, I believe it is generally a good practice to leave the required versions at the lowest viable version. The versions in the memberlist go.mod are only really relevant for running the tests in this repository.

Any application that uses memberlist should require more recent versions. Updating the go.mod file in this repo to the latest version of everything could make it more difficult to use memberlist. It would mean that someone updating memberlist would be forced to update a lot more dependencies.

If there are specific security problems or bug fixes in our dependencies that impact memberlist , we should definitely update the minimum supported version. Otherwise I think it is better for consumers to leave them as-is.

@cboitel
Copy link
Author

cboitel commented Oct 5, 2022

As for me the minimum viable version is one not having CVE.

@mandeepbrar
Copy link

Getting this error
go: github.com/armon/go-metrics@v0.5.1: parsing go.mod:
module declares its path as: github.com/hashicorp/go-metrics
but was required as: github.com/armon/go-metrics

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dnephin @mandeepbrar @cboitel