Stop bumping go directive unless necessitated by other dependencies #1454
Comments
Nothing in this repo necessitated 1.23.1. In fact, it is shown that the lowest required by other deps is 1.23.1 as required by |
|
Often there are CVEs in the standard library and the only way to enforce remediation of them in any builds is to bump the version number. At Chainguard, we do no support building binaries with known CVEs. |
|
The standard libraries used to build are based on toolchain setting. go directive is the wrong way to go because it affects importing modules. Please see https://go.dev/doc/toolchain#:~:text=Go%20toolchain%20selection%C2%B6 go mod's go directive is the wrong way to go. If your ci system lacks ability to specify the correct go version to use outside of go.mod file (my preference), use toolchain directive instead please. |
|
You do not have to build binaries with known CVEs AND force importing dependencies (those outside of chainguard) to have higher minimum versions. Everyone including the importing modules can fix standard library CVEs through go cli updates etc WITHOUT commiting change to go.mod file. |
This repo by itself should not be enforcing minimum on other repositories importing it. Stop spreading "minimum virus"
toolchain version used will be defined outside of go.mod ideally, such as by installing a newer compatible go toolchain to ci/cd/development env.
Failing that, toolchain directive should be used instead of go directive for bumping versions to not cascade minimum versions to importing dependencies.
High profile repos that have removed/reduced minimum go patch version per user requests
Being proactive to prevent following from reoccuring
The text was updated successfully, but these errors were encountered: