Jan-Lukas Else

Thoughts of an IT expert

A script for Go dependency updates

Published on in 👨‍💻 Dev
Short link: https://b.jlel.se/s/609
⚠️ This entry is already over one year old. It may no longer be up to date. Opinions may have changed.

I regularly update the dependencies of my blog software, a Go based project. Dependency updates are important because they can contain security fixes or fixes for bugs.

Because I don’t want to manually check and update every dependency manually, I built myself a script that updates all direct and indirect dependencies. It’s also helpful because I’m bad at remembering all the necessary flags for the go mod command.

Recently Tailscale released a new version. I use Tailscale in my software as a dependency, so that it can publish blogs directly to a private Tailscale network, or tailnet.

However, this update conflicted with another dependency I use, golang.org/x/crypto. This package is used for the acme/autocert part that helps creating automatic HTTPS certificated for public sites. When I tried to run my script, I always got the following error.

go.goblog.app/app imports
        tailscale.com/tsnet imports
        tailscale.com/ipn/ipnlocal imports
        github.com/tailscale/golang-x-crypto/ssh imports
        github.com/tailscale/golang-x-crypto/chacha20 imports
        github.com/tailscale/golang-x-crypto/internal/subtle tested by
        github.com/tailscale/golang-x-crypto/internal/subtle.test imports
        golang.org/x/crypto/internal/subtle: module golang.org/x/crypto@latest found (v0.0.0-20220829220503-c86fa9a7ed90), but does not contain package golang.org/x/crypto/internal/subtle

The only (temporary!) solution is to just upgrade Tailscale and all the other direct dependencies and ignore the crypto package until Tailscale updates their dependencies as well and releases a new version.

To do so, I modified the script and introduced a “skip list”. It now fetches all updates for the direct dependencies and checks one-by-one whether the package should be skipped and when not, upgrades the package.



checkSkip() { 
  echo $SKIP | grep -F -q -w "$1"

# Update all direct dependencies to latest version
echo "Check for updates..."

# 1. Get all direct dependency updates
updates=$(go list -f '{{if (and (not .Indirect) .Update)}}{{.Path}}{{end}}' -u -m all)

# 2. Update each dependency and tidy
for update in $updates
  if checkSkip $update
  echo ""
  echo "Update $update"
  GOFLAGS=$FLAGS go get $update@latest
  GOFLAGS=$FLAGS go mod tidy

I thought about moving Tailscale to a plugin to avoid this collision, but that’s a complex project for another time…

Tags: , ,

Jan-Lukas Else
Interactions & Comments