Skip to content

fix(gomod): Exclude multi-line exclude directives from extraction#35623

Merged
rarkins merged 2 commits intorenovatebot:mainfrom
leipert:leipert-fix-gomod-exclude
Apr 30, 2025
Merged

fix(gomod): Exclude multi-line exclude directives from extraction#35623
rarkins merged 2 commits intorenovatebot:mainfrom
leipert:leipert-fix-gomod-exclude

Conversation

@leipert
Copy link
Copy Markdown
Contributor

@leipert leipert commented Apr 29, 2025
edited
Loading

Changes & context

chore(gomod): Specs for go.mod directives unrelated to dependencies

This adds a few unit tests for go.mod directives that are not related to
dependencies: godebug, retract and single-line exclude. All of
those should be ignored.

The exclude directive prevents a module version from being loaded by
the go command.
https://go.dev/ref/mod#go-mod-file-exclude

Apparently they can be used to e.g. block a specific version of a
dependency which has a known vulnerability. Simply updating the
exclude section doesn't make the most sense as someone wanted to
exclude a specific version of a dependency.

Note: This commit doesn't fix the behaviour for multi-line excludes, it
just increases test coverage to show that single-line excludes are
already ignored.

References:

fix(gomod): Exclude multi-line exclude directives from extraction

With #28852, suddenly
multiline exclude directives have been renovated.

Given that single-line exclude directives are not renovated, this just
aligns the behaviour between the two. In a future iteration the
excludes could be parsed in order to change the behaviour for renovate
with regards to the dependency updates, but it is unclear what that
would entail.

So simply skipping them could be good enough.

Side-note: The regex based parsing seems to be really tricky for a lock
file which might contain multi line blocks. One should consider
rewriting it in a proper loop.

References:

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 29, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

leipert
leipert commented Apr 29, 2025
View reviewed changes
Comment thread lib/modules/manager/gomod/line-parser.ts Outdated
leipert added 2 commits April 29, 2025 23:45
@leipert
chore(gomod): Specs for go.mod directives unrelated to dependencies
d46771d 
This adds a few unit tests for go.mod directives that are not related to
dependencies: `godebug`, `retract` and single-line `exclude`. All of
those should be ignored.

> The `exclude` directive prevents a module version from being loaded by
> the `go` command.
> https://go.dev/ref/mod#go-mod-file-exclude

Apparently they can be used to e.g. block a specific version of a
dependency which has a known vulnerability. Simply updating the
`exclude` section doesn't make the most sense as someone wanted to
exclude a specific version of a dependency.

Note: This commit doesn't fix the behaviour for multi-line excludes, it
just increases test coverage to show that single-line excludes are
already ignored.

References:
- https://go.dev/doc/modules/gomod-ref
@leipert
fix(gomod): Exclude multi-line exclude directives from extraction
0b5bbe1 
With renovatebot#28852, suddenly
multiline `exclude` directives have been renovated.

Given that single-line `exclude` directives are not renovated, this just
aligns the behaviour between the two. In a future iteration the
`exclude`s could be parsed in order to change the behaviour for renovate
with regards to the dependency updates, but it is unclear what that
would entail.

So simply skipping them could be good enough.

Side-note: The regex based parsing seems to be really tricky for a lock
file which might contain multi line blocks. One should consider
rewriting it in a proper loop.

References:
- renovatebot#31905
@leipert leipert force-pushed the leipert-fix-gomod-exclude branch from 53d23b3 to 0b5bbe1 Compare April 29, 2025 21:54
@leipert leipert changed the title fix(gomod): Exclude exclude directive from dependency updates fix(gomod): Exclude multi-line exclude directives from extraction Apr 29, 2025
rarkins
rarkins reviewed Apr 30, 2025
View reviewed changes
Comment thread lib/modules/manager/gomod/line-parser.ts
@rarkins rarkins requested review from secustor and viceice April 30, 2025 07:24
@rarkins rarkins enabled auto-merge April 30, 2025 08:26
@rarkins rarkins added this pull request to the merge queue Apr 30, 2025
Merged via the queue into renovatebot:main with commit a345524 Apr 30, 2025
40 checks passed
@renovate-release
Copy link
Copy Markdown

renovate-release commented Apr 30, 2025

🎉 This PR is included in version 40.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

SuperSandro2000 added a commit to SuperSandro2000/renovate that referenced this pull request May 1, 2025
@SuperSandro2000
Merge remote-tracking branch 'upstream/main' into fix-nix
061d37a 
* upstream/main: (176 commits)
  build(deps): update aws-sdk-js-v3 monorepo (main) (renovatebot#35660)
  chore(deps): update docker/dockerfile docker tag to v1.15.1 (main) (renovatebot#35659)
  fix(deps): update ghcr.io/renovatebot/base-image docker tag to v9.64.3 (main) (renovatebot#35657)
  chore: thre -> the (renovatebot#35655)
  chore(deps): update dependency vite to v6.3.4 [security] (main) (renovatebot#35653)
  build(deps): update dependency glob to v11.0.2 (main) (renovatebot#35649)
  fix(memCache): disallow http requests in cache to be mutable (renovatebot#35647)
  fix(gomod): Exclude multi-line `exclude` directives from extraction (renovatebot#35623)
  docs(config options): rewrite `ignoreScripts` (renovatebot#32171)
  chore(deps): update python:3.13 docker digest to 884da97 (main) (renovatebot#35645)
  chore(deps): update python docker tag to v3.13.3 (main) (renovatebot#35276)
  fix(deps): update ghcr.io/renovatebot/base-image docker tag to v9.64.2 (main) (renovatebot#35644)
  feat(config)!: validate allowedCommands against post-compiled commands (renovatebot#35564)
  feat(config)!: create new Config Warning issues each time (renovatebot#35565)
  feat(autodiscoverFilter)!: support combined negative matches (renovatebot#34707)
  feat(datasource/maven)!: use latest and release values as tags (renovatebot#35515)
  feat!: require node v22.13 (renovatebot#34524)
  chore(deps): update dependency esbuild to v0.25.3 (main) (renovatebot#35637)
  chore(deps): update python:3.13 docker digest to 19c3e96 (main) (renovatebot#35636)
  feat(deps): update ghcr.io/renovatebot/base-image docker tag to v9.64.1 (main) (renovatebot#35632)
  ...
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 31, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@viceice viceice viceice approved these changes

@secustor secustor secustor approved these changes

+1 more reviewer

@rarkins rarkins rarkins approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@leipert @CLAassistant @renovate-release @viceice @rarkins @secustor