You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
x/tools depends on github.com/yuin/goldmark library which is unlike all other dependencies owned by non-go team. Is not this potentially problematic or even unsafe for the community?
I see this because golang.org/x/net depends on golang.org/x/text it depends on golang.org/x/tools and now goldmark end up in your go.sum
The use of goldmark is limited to the 'present' package and tool (as well as x/website for go.dev itself), so there is no safety problem for the vast majority of uses. In particular, if you are only using x/net or x/text, then you are not importing goldmark in any way. The long term plan is to remove the use of goldmark, which is only an implementation detail of those packages.
That said, if you are seeing goldmark in your go.sum file, I think that means your go.mod file says "go 1.16" or earlier and is not using pruned module graphs. If so, then as documented in the release notes I linked, you can run 'go mod tidy -go=1.17' (or 1.18 or 1.19) to update your go.mod file without affecting selected dependency versions.
If your go.mod already says 'go 1.17' or later, then you may just need to run 'go mod tidy' to clean up go.sum.
x/tools
depends ongithub.com/yuin/goldmark
library which is unlike all other dependencies owned by non-go team. Is not this potentially problematic or even unsafe for the community?I see this because
golang.org/x/net
depends ongolang.org/x/text
it depends ongolang.org/x/tools
and nowgoldmark
end up in yourgo.sum
https://github.com/golang/tools/blob/9b5e55b1a7e215a54c9784492d801104a8381a91/go.mod#L6
The text was updated successfully, but these errors were encountered: