Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Circular dependency with testify #124

Closed
kaovilai opened this issue Sep 14, 2022 · 11 comments · Fixed by #140
Closed

Circular dependency with testify #124

kaovilai opened this issue Sep 14, 2022 · 11 comments · Fixed by #140
Milestone
v0.5.1

Comments

@kaovilai
Copy link

objx requires github.com/stretchr/testify v1.7.1
github.com/stretchr/testify requires objx v0.4.0

Would be cool if it could be avoided. No other reason in particular.
@hanzei
Copy link
Collaborator

hanzei commented Sep 18, 2022

Can you elaborate on why this needs fixing? Did you run into any issues?

@kaovilai
Copy link
Author

Just a go.sum eyesore that's all.

For some reason golang don't prevent module circular dependency but does at the package level.

@gildas
Copy link

gildas commented Oct 3, 2022

It also makes snyk complain about security issues (these issues should be gone from testify 1.8.0):
SNYK-GOLANG-GOPKGINYAMLV3-2841557, SNYK-GOLANG-GOPKGINYAMLV3-2952714

@joaocbarbosa
Copy link

facing the same problem of @gildas on a Snyk pipeline.
But checking out the code, I noticed that the problem was already fixed on master branch, maybe what is missing is generate a new package release.

@geseq
Copy link
Collaborator

geseq commented Oct 15, 2022

created a new release

@joaocbarbosa
Copy link

thank you so much @geseq.

just a question, the old version of objx still be used by testify 1.8.0, and by that, indirectly, is using a vulnerable version of the yaml.v3 package, as the dependency tree below:

- testify v1.8.0
   - objx v0.4.0
      - testify v1.7.1
         - yaml.v3 v3.0.0

Vulnerability found here:
https://security.snyk.io/package/golang/github.com%2Fgo-yaml%2Fyaml

Is threre any schedule for dependabot to run and update it?

@geseq
Copy link
Collaborator

geseq commented Oct 15, 2022

Sorry I have no idea. You’d have to ask this in the testify repo

@joaocbarbosa joaocbarbosa mentioned this issue Oct 15, 2022
Closed
@rohanthewiz
Copy link

rohanthewiz commented Oct 31, 2022
edited

I created this issue in the testify repo: stretchr/testify#1292.
We might need to add a new tag for objx (maybe v0.5.1), so as to stop the backwards pointing to older, vulnerable versions.

Currently here in objx, the bump to testify 1.8.1 is after the v0.5.0 tag:

> git log --oneline -3
c0315e5 (HEAD -> master, origin/master, origin/HEAD) Fix a couple typos in the README.md (#128)
40ef69b Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#126)
50a2c06 (tag: v0.5.0) Fix typo in Taskfile (#122)

@westy92
Copy link

westy92 commented Mar 1, 2023

I was able to solve this by adding this to my go.mod file:

exclude github.com/stretchr/testify v1.7.1

@westy92 westy92 mentioned this issue Mar 1, 2023
Merged
@dolmen
Copy link
Contributor

dolmen commented Jun 13, 2023

To the maintainer: would you accept a PR that would drop the use of testify and just use testing? This would fix that dependency circle forever. I'm ready to do the work.

dolmen added a commit to dolmen-go/stretchr-objx.fork that referenced this issue Jul 4, 2023
@dolmen
deps: fix dependency cycle with testify (stretchr#124)
2fac82d 
In go.mod exclude the previous of testify to break the dependency cycle.
Fixes stretchr#124 and stretchr/testify#1292 (once testify
upgrades).

  go mod edit -exclude=github.com/stretchr/testify@v1.8.0
  go mod tidy
@dolmen dolmen mentioned this issue Jul 4, 2023
Merged
2 tasks
@dolmen
Copy link
Contributor

dolmen commented Jul 4, 2023
edited

I found an easier way to help Go break the cycle. See #140. Thanks to @westy92 and @mgibson-r7.

hanzei pushed a commit that referenced this issue Aug 8, 2023
@dolmen
deps: fix dependency cycle with testify (#124) (#140)
65e87f4
@hanzei hanzei added this to the v0.5.1 milestone Feb 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.5.1
Development

Successfully merging a pull request may close this issue.

deps: fix dependency cycle with testify (#124) dolmen-go/stretchr-objx.fork
8 participants
@gildas @dolmen @westy92 @rohanthewiz @geseq @kaovilai @hanzei @joaocbarbosa