Old versions of golang.org/x/net/html have vulnerabilities. Yikes! Better upgrade the packages. We used govendor to set up our Shopify integration project two years ago; so lets use govendor to upgrade:
ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$ govendor fetch golang.org/x/net/html
ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$
Govendor isn't doing anything! Here is the vendor.json
file after the fetch
:
{
"checksumSHA1": "vqc3a+oTUGX8PmD0TS+qQ7gmN8I=",
"path": "golang.org/x/net/html",
"revision": "d997483c6db05184c79c182674d01f1e7b7553ae",
"revisionTime": "2017-05-30T13:01:13Z"
},
That is a pretty old revision, certainly older than the vulnerability fix which is dated Sep 25, 2018. Govendor is an older package, and doesn't seem to be maintained any more. Do I have to replace govendor? Is there a natural replacement? Or is there something else I am doing wrong that is preventing me from updating my packages?
Version info:
ip-192-168-3-40:Shopify-Gateway username$ govendor --version v1.0.9
ip-192-168-3-40:Shopify-Gateway username$ go version
go version go1.13.1 darwin/amd64
EDIT: Many are suggesting go modules. We can't use them! We're relying on an unversioned dependency, and when we try to upgrade a package to go modules this dependency is dropped to a lower version, thus introducing database security vulnerabilities. I need to be able to update packages in place, as they have been installed by govendor.
I've also tried to install specific version numbers of the govendor packages that I want to use:
ip-192-168-3-40:Shopify-Gateway username$ govendor fetch golang.org/x/net/html@d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
ip-192-168-3-40:Shopify-Gateway username$ git diff
ip-192-168-3-40:Shopify-Gateway username$
Why isn't govendor updating my package?
You have to migrate to
go modules
. In first instance, create a new module. With these easy step you will be able to init a module and create thego.mod
file [https://stackoverflow.com/a/57944766/9361998].Than you have to type:
Note, with the latest command you are going to update the dep to the latest MINOR patch, be sure to change the
go.mod
file with the latest MAJOR versionEDIT
Another approach can be download the module in your
GOPATH
usinggo get -v -u github.com/repository_name/module_name
. By this way the module will be downloaded in yourGOPATH
.