Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependencies to latest versions #1339

Closed

Conversation

nodivbyzero
Copy link
Contributor

Fixes Or Enhances

  • chore: update dependencies to latest versions
  • go ver. 1.23
  • all dependencies to latest versions
  • GitHub Action workflow with go 1.23

@go-playground/validator-maintainers

@nodivbyzero nodivbyzero requested a review from a team as a code owner December 4, 2024 01:31
@nodivbyzero nodivbyzero force-pushed the upd-deps-dec-2024 branch 3 times, most recently from 73437f7 to ae55dab Compare December 4, 2024 02:03
@nodivbyzero nodivbyzero marked this pull request as draft December 4, 2024 02:20
@nodivbyzero nodivbyzero force-pushed the upd-deps-dec-2024 branch 2 times, most recently from 4f95f97 to 709e955 Compare December 4, 2024 02:46
@nodivbyzero nodivbyzero marked this pull request as ready for review December 4, 2024 02:48
@nodivbyzero
Copy link
Contributor Author

@deankarn Is it ok to merge this PR?

@deankarn
Copy link

deankarn commented Dec 4, 2024

@nodivbyzero no because of:

  • The addition of the /vendor directory and deps within.
  • Min Go supported version has been bumped from 1.17 to 1.21 which is a breaking change requiring a major version bump

@coveralls
Copy link

coveralls commented Dec 4, 2024

Coverage Status

coverage: 74.318%. remained the same
when pulling 709e955 on nodivbyzero:upd-deps-dec-2024
into 6c3307e on go-playground:master.

@nodivbyzero
Copy link
Contributor Author

nodivbyzero commented Dec 4, 2024

@deankarn I've updated my PR and removed the vendor folder.
Quick question: Is there a requirement to support Go 1.17 as the minimum version?

@deankarn
Copy link

deankarn commented Dec 5, 2024

Quick question: Is there a requirement to support Go 1.17 as the minimum version?

@nodivbyzero only that if anyone is still using Go 1.17 it would/could break people existing builds if we add anything that’s not backward compatible with 1.17 which is more likely than other version bumps because thats when generics were added. I would love to recommend others update to a newer version if in this situation but possible they can’t for some reason or other reasons.

We can add more recent features though, without bumping a major version(which is a pain because of the way go versions > v1 is in the import path itself and is prolific down the dependency tree), by adding compile time directives.

I can totally be convinced otherwise though and perhaps, for a future addition, can add to the README + docs that we support up to only say 3-4 version back from the latest.

@nodivbyzero
Copy link
Contributor Author

@deankarn Thank you for the detailed explanation.
I noticed that the last major release occurred on November 17, 2019, which was five years ago. While maintaining compatibility with older Go versions is important, addressing vulnerabilities and keeping dependencies updated is equally critical.

Here's a proposed plan:

  • Notify the community via 'GitHub Discussions' about introducing a major version update cycle aligned with every three Go version updates.
  • Update the README to include a compatibility plan.
  • Close this PR for the time being.

What are your thoughts on this approach?

@deankarn
Copy link

deankarn commented Dec 6, 2024

@nodivbyzero it sounds reasonable, but I want to think about it for a little bit first as the one aspect that still bothers me is that bumping major versions in Go causes all package imports needing to be updated as well.

This doesn’t sound like much when it’s a single project or repo, but even I have production code that spans many repos which updating like this becomes a major chore. Maybe not with this package specifically but I have seen subtle bugs and issues arise when you miss updating one of these imports in your dependency chain also when the package self-initializes/ is meant to be a singleton. (As a personal note I very much dislike how go has done this and IMO should have relied on the mod file to specify the version and not imports…)

I have been and will continue to read about how others handle this. This is an old discussion for Rust not Go but highlight the same issues rust-lang/api-guidelines#123

@nodivbyzero
Copy link
Contributor Author

Closing this PR in favor of the discussion at #1342

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants