Dependency on go-cose version that does not exist. #2162
Comments
|
Can someone explain this? |
1 similar comment
|
Can someone explain this? |
|
To explain; It plays havoc with our internal build process, in that we are unable to allow "go mod" and "tidy" to run without explicitly pinning specific dependencies, which is never best practice, especially if there are other third-party libraries in the mix. When building and fetching dependencies everything blows up with an unresolved dependency on go-cose v1.2.0 because the go.mod for hcsshim specifies go-cose v1.2.0 as a dependency. The dependency resolution step of the go build process attempts to go and download this specific go-cose version and fails because it doesn't exist. Ideally, the fix here would be for the maintainers of hcsshim to update the go.mod to reference an active "published" version of go-cose (followed by a run of "go mod tidy" to ensure that the go.sum file is present and correct). Hopefully, that makes a bit more sense. Sorry for my original cryptic message. |
|
Please note that this now also breaks Kubernetes vendoring in stricter environments (i.e. with It'd be great if you could make a stable release with the vendor fixed. |
The indirect dependency on "github.com/veraison/go-cose@v1.2.0" [https://github.com/microsoft/hcsshim/blob/8beabacfc2d21767a07c20f8dd5f9f3932dbf305/go.mod#L99] cannot be resolved.
This is due to v1.2.0 being retracted by the developer:
[https://github.com/veraison/go-cose/pull/153]
This dependency should be updated to reference the current release "github.com/veraison/go-cose@v1.1.0"
The text was updated successfully, but these errors were encountered: