-1

Old versions of golang.org/x/net/html have vulnerabilities. Yikes! Better upgrade the packages. We used govendor to set up our Shopify integration project two years ago; so lets use govendor to upgrade:

ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$ govendor fetch golang.org/x/net/html
ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$

Govendor isn't doing anything! Here is the vendor.json file after the fetch:

    {
        "checksumSHA1": "vqc3a+oTUGX8PmD0TS+qQ7gmN8I=",
        "path": "golang.org/x/net/html",
        "revision": "d997483c6db05184c79c182674d01f1e7b7553ae",
        "revisionTime": "2017-05-30T13:01:13Z"
    },

That is a pretty old revision, certainly older than the vulnerability fix which is dated Sep 25, 2018. Govendor is an older package, and doesn't seem to be maintained any more. Do I have to replace govendor? Is there a natural replacement? Or is there something else I am doing wrong that is preventing me from updating my packages?

Version info:

ip-192-168-3-40:Shopify-Gateway username$ govendor --version v1.0.9
ip-192-168-3-40:Shopify-Gateway username$ go version
go version go1.13.1 darwin/amd64

EDIT: Many are suggesting go modules. We can't use them! We're relying on an unversioned dependency, and when we try to upgrade a package to go modules this dependency is dropped to a lower version, thus introducing database security vulnerabilities. I need to be able to update packages in place, as they have been installed by govendor.

I've also tried to install specific version numbers of the govendor packages that I want to use:

ip-192-168-3-40:Shopify-Gateway username$ govendor fetch golang.org/x/net/html@d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$

Why isn't govendor updating my package?

kingledion
  • 2,263
  • 3
  • 25
  • 39
  • 3
    "Is there a natural replacement?" Go Modules would be the natural replacement. Govendor was likely abandoned because vendoring was added in Go 1.5 (several years ago) and full dependency management (Go Modules) was added in Go 1.11 (over a year ago). – Adrian Dec 05 '19 at 18:33
  • 3
    See here for info: https://github.com/golang/go/wiki/Modules – Adrian Dec 05 '19 at 18:33
  • 3
    This is answered by [govendor itself](https://github.com/kardianos/govendor#use-go-modules). TLDR; "Use Go modules " – Jonathan Hall Dec 05 '19 at 18:39
  • 1
    Did you run `mod god init`? The `mod` tool both understands the old govendor manifest, and can require dependencies based on specific commits. Even if you don't convert the `vendor.json`, you can still `go get` specific commits and versions. – JimB Dec 05 '19 at 22:18

1 Answers1

1

You have to migrate to go modules. In first instance, create a new module. With these easy step you will be able to init a module and create the go.mod file [https://stackoverflow.com/a/57944766/9361998].

Than you have to type:

go mod init YOUR_REPOSITORY_NAME
go clean 
go mod download # wait until dependencies are downloaded
go build #be sure that the code compile
go mod tidy #prune unnecessary dependencies
go get -u ./... #update dependencies

Note, with the latest command you are going to update the dep to the latest MINOR patch, be sure to change the go.mod file with the latest MAJOR version

EDIT

Another approach can be download the module in your GOPATH using go get -v -u github.com/repository_name/module_name. By this way the module will be downloaded in your GOPATH.

alessiosavi
  • 2,753
  • 2
  • 19
  • 38
  • Thanks for the answer. Attempted to do this and unable to make it work, edit in original question. But I'd agree this would be the best solution, if it were possible. – kingledion Dec 05 '19 at 19:42
  • Thank you sir! Remember that you can modify manually the `go.mod` file in order to change the version. Than run `go clean` or `go get -v -u ./...` – alessiosavi Dec 05 '19 at 19:50
  • 1
    You're missing `go init`, which in this case will attempt to convert the vendor manifest to go.mod. `go clean` does not download any any dependencies. You should not be editing `go.mod` to get new versions, and you cannot update a major version > 1 by editing `go.mod`, because the import path must be changed in the source. – JimB Dec 06 '19 at 14:23
  • Hi @JimB, instead of add the `go mod init` step, i've choose to link a short description of how to create a module. Thank you, i miss `go mod download` – alessiosavi Dec 06 '19 at 16:23