Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
None
-
None
Description
The replace directives should be used when
1. the dependency is indirect, AND
2. the indirect version is too old or has CVEs/compatibility issues
Once the replace directives are setup, we won't remove the replace directive even if the issues are fixed in newer indirect version. One reason is to reduce maintenance effort. Another reason is that we can't ensure that the poor dependency won't be pull back in later indriect release.
Please refer to the PR discussion for more details:
We maintain the replace directives with moderate effort.
For example: core repo has following deps in the replace
golang.org/x/crypto => golang.org/x/crypto v0.18.0
this should be changed to 0.19.0 since the indirect version is v0.19.0
golang.org/x/lint => golang.org/x/lint v0.0.0-20210508222113-6edffad5e616
this should be removed since we don't use it actually, and golangci-lint is replacement in our CI.
golang.org/x/net => golang.org/x/net v0.20.0
this should be upgrade to v0.21.0
golang.org/x/sys => golang.org/x/sys v0.16.0
this should be changed to v0.17.0 since the indirect version is v0.17.0
golang.org/x/text => golang.org/x/text v0.14.0
this should be kept even if the indirect version is v0.14.0
golang.org/x/tools => golang.org/x/tools v0.17.0
this should keep in the replace since the resolved version is v0.6.0 and it is too stale (released on Feb 8, 2023)