x/tools: depends on non-go-team library #56266
Comments
gopherbot
added
the
Tools
|
The use of goldmark is limited to the 'present' package and tool (as well as x/website for go.dev itself), so there is no safety problem for the vast majority of uses. In particular, if you are only using x/net or x/text, then you are not importing goldmark in any way. The long term plan is to remove the use of goldmark, which is only an implementation detail of those packages. That said, if you are seeing goldmark in your go.sum file, I think that means your go.mod file says "go 1.16" or earlier and is not using pruned module graphs. If so, then as documented in the release notes I linked, you can run 'go mod tidy -go=1.17' (or 1.18 or 1.19) to update your go.mod file without affecting selected dependency versions. If your go.mod already says 'go 1.17' or later, then you may just need to run 'go mod tidy' to clean up go.sum. |
|
Closing as this is known and intentional. |
x/toolsdepends ongithub.com/yuin/goldmarklibrary which is unlike all other dependencies owned by non-go team. Is not this potentially problematic or even unsafe for the community?I see this because
golang.org/x/netdepends ongolang.org/x/textit depends ongolang.org/x/toolsand nowgoldmarkend up in yourgo.sumhttps://github.com/golang/tools/blob/9b5e55b1a7e215a54c9784492d801104a8381a91/go.mod#L6
The text was updated successfully, but these errors were encountered: