Comment by purpleidea

purpleidea Jan 28, 2025 parent

The _tooling_ is not reproducible. Take a not small golang project with some number of dependencies and there should be a single list of the latest versions for the entire project. And exactly what golang commands do you run to generate that list? It's totally broken. This is why so many tools cropped up like go-mod-upgrade and so on.

Everyone downvoting obviously doesn't understand the problem.

verdverm Jan 28, 2025

`go.mod` contains the dependency list and minimum version required

`go.sum` is a lock file for the exact versions to use (ensures reproducibility)

`go mod graph` will produce the dependency graph with resolved versions

`go list -deps ./...` will give you all packages used by a module or directory, depending on the args you provide

`go get -u ./...` will update all dependencies to their latest version

Here is a post about Go toolchain reproducibility and verification: https://go.dev/blog/rebuild

You are being downvoted for being wrong and talking about downvoting, which is called out as something not to do in the posting & commenting guidelines

arccy Jan 28, 2025

the versions in go.mod are an enforcement of the versions required by your dependencies, and those your module require. asking for it to be reproducible from scratch is like deleting package.json in a node project and asking it to magic all your >= < version constraints out of thin air, it's impossible because you're deleting the source.

This item has no comments currently.