Govendor is not importing newer versions

Question

Old versions of golang.org/x/net/html have vulnerabilities. Yikes! Better upgrade the packages. We used govendor to set up our Shopify integration project two years ago; so lets use govendor to upgrade:

ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$ govendor fetch golang.org/x/net/html
ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$

Govendor isn't doing anything! Here is the vendor.json file after the fetch:

    {
        "checksumSHA1": "vqc3a+oTUGX8PmD0TS+qQ7gmN8I=",
        "path": "golang.org/x/net/html",
        "revision": "d997483c6db05184c79c182674d01f1e7b7553ae",
        "revisionTime": "2017-05-30T13:01:13Z"
    },

That is a pretty old revision, certainly older than the vulnerability fix which is dated Sep 25, 2018. Govendor is an older package, and doesn't seem to be maintained any more. Do I have to replace govendor? Is there a natural replacement? Or is there something else I am doing wrong that is preventing me from updating my packages?

Version info:

ip-192-168-3-40:Shopify-Gateway username$ govendor --version v1.0.9
ip-192-168-3-40:Shopify-Gateway username$ go version
go version go1.13.1 darwin/amd64

---

EDIT: Many are suggesting go modules. We can't use them! We're relying on an unversioned dependency, and when we try to upgrade a package to go modules this dependency is dropped to a lower version, thus introducing database security vulnerabilities. I need to be able to update packages in place, as they have been installed by govendor.

I've also tried to install specific version numbers of the govendor packages that I want to use:

ip-192-168-3-40:Shopify-Gateway username$ govendor fetch golang.org/x/net/html@d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$

Why isn't govendor updating my package?

Answer 1

You have to migrate to go modules. In first instance, create a new module. With these easy step you will be able to init a module and create the go.mod file [https://stackoverflow.com/a/57944766/9361998].

Than you have to type:

go mod init YOUR_REPOSITORY_NAME
go clean 
go mod download # wait until dependencies are downloaded
go build #be sure that the code compile
go mod tidy #prune unnecessary dependencies
go get -u ./... #update dependencies

Note, with the latest command you are going to update the dep to the latest MINOR patch, be sure to change the go.mod file with the latest MAJOR version

EDIT

Another approach can be download the module in your GOPATH using go get -v -u github.com/repository_name/module_name. By this way the module will be downloaded in your GOPATH.