Skip to content

cmd/go: go get -u yields a different result compared to go get on a clean go.mod #38362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
perillo opened this issue Apr 10, 2020 · 8 comments
Closed

cmd/go: go get -u yields a different result compared to go get on a clean go.mod #38362

perillo opened this issue Apr 10, 2020 · 8 comments
Labels
FrozenDueToAge modules WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.

Comments

@perillo
Copy link
Contributor

perillo commented Apr 10, 2020

What version of Go are you using (go version)?

$ go version
go version go1.14.2 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN="/home/manlio/.local/bin"
GOCACHE="/home/manlio/.cache/go-build"
GOENV="/home/manlio/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE="*.local"
GONOPROXY=""
GONOSUMDB="*.local"
GOOS="linux"
GOPATH="/home/manlio/.local/lib/go:/home/manlio/src/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build291533826=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.14.2 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.14.2
uname -sr: Linux 5.6.3-arch1-1
/usr/lib/libc.so.6: GNU C Library (GNU libc) stable release version 2.31.
gdb --version: GNU gdb (GDB) 9.1

What did you do?

I have a module that requires

github.com/perillo/gocmd v0.1.0
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee

After invoking go clean -modcache, go get -u and go mod tidy, the diff is:

diff --git a/go.mod b/go.mod
index 1bdf274..6267078 100644
--- a/go.mod
+++ b/go.mod
@@ -4,5 +4,6 @@ go 1.13
 
 require (
 	github.com/perillo/gocmd v0.1.0
-	golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee
+	golang.org/x/mod v0.2.0
+	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 // indirect
 )
diff --git a/go.sum b/go.sum
index 3ed6d9b..d3eae95 100644
--- a/go.sum
+++ b/go.sum
@@ -2,11 +2,17 @@ github.com/perillo/gocmd v0.1.0 h1:7xxkp0uE/xd6EtSEu5yA7clzAYjBnAL1ztrk5LQebd4=
 github.com/perillo/gocmd v0.1.0/go.mod h1:cQUA4Rm33rkwp7ulJrvxY9TONS1DQfb4mLTNLMOaBVk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee h1:WG0RUwxtNT4qqaXX3DPA8zHFNm/D9xaBpxzHt1WcA/E=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0 h1:KU7oHjnv3XNWfa5COkzUifxZmxp1TyI7ImMXqFxLwvQ=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

I found that indirect requirement in the go.mod file suspicious, so I removed the go.mod and go.sum files, and invoked go mod init and go get. The new diff is:

diff --git a/go.mod b/go.mod
index 1bdf274..f287459 100644
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,8 @@
 module github.com/perillo/i3workon
 
-go 1.13
+go 1.14
 
 require (
 	github.com/perillo/gocmd v0.1.0
-	golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee
+	golang.org/x/mod v0.2.0
 )
diff --git a/go.sum b/go.sum
index 3ed6d9b..d0b378c 100644
--- a/go.sum
+++ b/go.sum
@@ -2,11 +2,15 @@ github.com/perillo/gocmd v0.1.0 h1:7xxkp0uE/xd6EtSEu5yA7clzAYjBnAL1ztrk5LQebd4=
 github.com/perillo/gocmd v0.1.0/go.mod h1:cQUA4Rm33rkwp7ulJrvxY9TONS1DQfb4mLTNLMOaBVk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee h1:WG0RUwxtNT4qqaXX3DPA8zHFNm/D9xaBpxzHt1WcA/E=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0 h1:KU7oHjnv3XNWfa5COkzUifxZmxp1TyI7ImMXqFxLwvQ=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

Having different results is probably not the correct behavior.

Thanks
@perillo
Copy link
Contributor Author

perillo commented Apr 10, 2020

Note that the indirect requirement in go.mod is not removed by go mod tidy. If it is responsibility of go mod tidy to remove it, this is issue is probably a duplicate.

@bcmills
Copy link
Contributor

bcmills commented Apr 10, 2020

go get is different from go get -u. The former requests that the named packages be added at their latest version. The latter requests that all transitive imports of those packages also be upgraded to their latest version.

As far as I can tell, this is working as designed and documented (in https://golang.org/cmd/go/#hdr-Add_dependencies_to_current_module_and_install_them).

@bcmills
Copy link
Contributor

bcmills commented Apr 10, 2020

Note in particular that golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 is more recent than the version specified in golang.org/x/mod/go.mod at v0.2.0, which is v0.0.0-20191011141410-1b5146add898:
https://github.com/golang/mod/blob/ed3ec21bb8e252814c380df79a80f366440ddb2d/go.mod#L8

@bcmills bcmills added modules WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. labels Apr 10, 2020
@perillo
Copy link
Contributor Author

perillo commented Apr 10, 2020

The documentation says:

The -u flag instructs get to update modules providing dependencies of packages named on the command line to use newer minor or patch releases when available

and

The -u=patch flag (not -u patch) also instructs get to update dependencies, but changes the default to select patch releases

So, it is only go get -u=patch that requests all transitive imports, as far as I understand.

https://golang.org/cmd/go/#hdr-Maintaining_module_requirements says:

Indirect requirements are automatically removed from the go.mod file once they are implied by other direct requirements. Indirect requirements only arise when using modules that fail to state some of their own dependencies or when explicitly upgrading a module's dependencies ahead of its own stated requirements.

This is probably the reason for the added indirect requirement, but I'm not sure I fully understand the reason.

Thanks

@bcmills
Copy link
Contributor

bcmills commented Apr 10, 2020

Within the Go command documentation, the phrase “dependencies” generally means “transitive dependencies”, not “immediate dependencies”. The only difference between -u and -u=patch is whether it upgrades to upgrade (which is usually equivalent to latest), or patch (which is more conservative).

@perillo
Copy link
Contributor Author

perillo commented Apr 10, 2020

If go get -u is the only command to use for updating dependencies, I think it is wrong that it adds an indirect dependency that is not added by go get in a clean go.mod file. Unless there was a problem when I added the dependencies or if the problem is go mod tidy that does not remove the indirect dependency.

@jayconrod
Copy link
Contributor

Seems like this is working. Maybe the documentation isn't clear on the implications though?

go get updates modules that provide packages named on the command line. Without arguments, it applies to the package in the current directory.

go get -u additionally updates modules that provide packages transitively imported by packages named on the command line. This can result in // indirect requirements on modules with packages that are only indirectly imported: you now require those modules at a higher version than your direct requirements ask for.

go mod tidy doesn't usually update anything, but it will add missing requirements, and that may cause existing requirements to be upgraded for consistency (if there's some common dependency). It may remove requirements that aren't needed, but it won't downgrade indirect requirements.

@jayconrod
Copy link
Contributor

Closing. Doesn't seem like there's anything to do here.

@golang golang locked and limited conversation to collaborators Apr 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge modules WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jayconrod @bcmills @perillo @gopherbot