You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The only direct dependency of my code is "github.com/spf13/viper v1.0.0"; however, it is completely impossible to guess it in the middle of that huge list.
What did you expect to see?
I expected the go.mod file to not include the transitive dependencies of my code.
This is the standard behavior of any other build manager used by my company (i.e. maven, gradle, cargo, npm, dep).
Finally, I find extremely scaring that the go.mod file is silently modified without asking or informing me.
What did you see instead?
The go.mod file is silently changed and it now contains a confusing flat list of libraries. Consequently, it is nearly impossible to understand what I am directly using; so simple operations (e.g. updating a direct dependency) becomes really hard.
This was an experiment to evaluate vgo, but following this result, my company decided to stay with dep which we feel is less invasive and simpler than vgo. In addition, it gives us the feeling that we, and not the tool, are in control of our configuration files.
The text was updated successfully, but these errors were encountered:
ufoscout
changed the title
VGO: transitive dependencies should not appear in the go.mod file
x/vgo: transitive dependencies should not appear in the go.mod file
May 16, 2018
vgo is designed to modify mod.go as requested from commands such as vgo get. This is similar to how goimports will re-write or update go source files.
vgo is designed so that running vgo build twice will always produce the same binary. A few observations: no lock file (go.mod or other lock file) exists in viper. Thus in order to achieve the previously stated goal, vgo must include these dependencies in this mod.go.
vgo doesn't have a lock file. In other words, it uses MVS to combine each mod.go into a set of "locked" dependencies. In this case, because you viper lacks such a mod.go file, it requires all transitive dependencies to be included.
Due to these, I would encurage you to fork viper, include a mod.go file in that module, then reference that fork in mod.go. vgo shouldn't include those transitive dependencies in main repo if they are stated elsewhere (they still can be and the MVS will operate on it still if you need to bump a transitive dependency version).
What you are seeing is the intended behavior of vgo.
What version of Go are you using (
go version
)?go version go1.10.2 linux/amd64
Does this issue reproduce with the latest release?
Reproducible with vgo:2018-02-20.1
What operating system and processor architecture are you using (
go env
)?What did you do?
I migrated a sample application from dep to vgo. The original dep configuration file was as simple as:
I manually created this equivalent go.mod file:
However, when I launched "vgo build", the go.mod file was silently modified to the following one that contains all the transitive dependencies:
The only direct dependency of my code is "github.com/spf13/viper v1.0.0"; however, it is completely impossible to guess it in the middle of that huge list.
What did you expect to see?
I expected the go.mod file to not include the transitive dependencies of my code.
This is the standard behavior of any other build manager used by my company (i.e. maven, gradle, cargo, npm, dep).
Finally, I find extremely scaring that the go.mod file is silently modified without asking or informing me.
What did you see instead?
The go.mod file is silently changed and it now contains a confusing flat list of libraries. Consequently, it is nearly impossible to understand what I am directly using; so simple operations (e.g. updating a direct dependency) becomes really hard.
This was an experiment to evaluate vgo, but following this result, my company decided to stay with dep which we feel is less invasive and simpler than vgo. In addition, it gives us the feeling that we, and not the tool, are in control of our configuration files.
The text was updated successfully, but these errors were encountered: