Fix the golang package updater #997
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
eyalk007
commented
Dec 15, 2025
eyalk007
commented
- All tests passed. If this feature is not already covered by the tests, I added new tests.
- This pull request is on the dev branch.
- I used gofmt for formatting the code before submitting the pull request.
- Update documentation about new features / new supported technologies
eyalk007
commented
Dec 15, 2025
orto17
reviewed
Dec 17, 2025
packagehandlers/gopackagehandler.go
Outdated
|
|
||
| func (golang *GoPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) error { | ||
| // Configure resolution from an Artifactory server if needed | ||
| if golang.depsRepo != "" { |
Contributor
There was a problem hiding this comment.
we want to stop support depsRepo, so those lines can be removed
Contributor
Author
There was a problem hiding this comment.
i say comment this needs to be back by q1 in my eyes
orto17
reviewed
Dec 17, 2025
packagehandlers/gopackagehandler.go
Outdated
| ) | ||
|
|
||
| type GoPackageHandler struct { | ||
| CommonPackageHandler |
Contributor
There was a problem hiding this comment.
so we dont need and want the CommonPackageHandler right?
Contributor
Author
There was a problem hiding this comment.
i believe it should not exist
maybe in the future in a diff way with the parsing, but for now we should delete implementation package by package manager
orto17
reviewed
Dec 17, 2025
| } | ||
|
|
||
| func (golang *GoPackageHandler) allowLockfileManipulation() []string { | ||
| return append(os.Environ(), "GOFLAGS=-mod=mod") |
Contributor
There was a problem hiding this comment.
can we have "GOFLAGS=-mod=mod" in a const in the beginning so it will be more clear which flags are being used for each package handler?
Contributor
Author
There was a problem hiding this comment.
feels like overkill
orto17
reviewed
Dec 17, 2025
packagehandlers/gopackagehandler.go
Outdated
| "github.com/jfrog/jfrog-client-go/utils/log" | ||
| ) | ||
|
|
||
| type GoPackageHandler struct { |
Contributor
There was a problem hiding this comment.
what do you think ti change the PackageHandler name to something more clear? for example "GolangFixPrCreator
Contributor
Author
There was a problem hiding this comment.
GolangPackageFixer
orto17
reviewed
Dec 17, 2025
eyalk007
force-pushed
the
fix-go-package-handler
branch
from
79d4322 to
5cd924b
Compare
orto17
approved these changes
Dec 18, 2025
eyalk007
changed the title
… GoPackageUpdater - Add 'v' prefix to Go module versions (fixes: go get invalid version error) - Run 'go mod tidy' after 'go get' to ensure go.mod and go.sum consistency - Set GOFLAGS=-mod=mod for predictable module behavior - Add debug logging for command output (warnings, etc.) - Remove CommonPackageHandler dependency - Go handler is now fully independent - Rename GoPackageHandler -> GoPackageUpdater (better name for future dependency bump feature) - Change receiver from 'golang' to 'gpu' for clarity - Follows Dependabot/Renovate best practices
WHAT: - Detect vendor/modules.txt to identify projects using vendoring - Automatically run 'go mod vendor' after 'go mod tidy' when vendor exists - This keeps vendor/ directory in sync with go.mod/go.sum after dependency updates WHY: - Renovate and Dependabot both support vendor directories - When dependencies are updated, vendor/ needs to be regenerated - Following industry best practices from Renovate's postUpdateOptions HOW IT WORKS: 1. After running 'go get package@version' 2. Run 'go mod tidy' (already existed) 3. NEW: Check for vendor/modules.txt 4. NEW: If found, run 'go mod vendor' to update vendor/ directory TESTING: - Test repo: frogbot-test-multi-go (has vendor/ in both projects) - Expected: After fix, vendor/ directory should be updated in PR REFERENCES: - Renovate: config.postUpdateOptions includes 'gomodTidy' - Dependabot: Automatically detects and updates vendor directories - Analysis: dependency-update-tools-analysis-mermaid.md
eyalk007
force-pushed
the
fix-go-package-handler
branch
from
7baec21 to
1df000e
Compare
- Remove depsRepo and serverDetails (not needed) - Remove Artifactory resolution code - Remove comments (anti-comment style) - Rename gopackagehandler.go -> gopackageupdater.go to match struct name
- Go handler doesn't need serverDetails or depsRepo - Empty implementation satisfies PackageHandler interface - Future: gradually remove from all handlers that don't need it
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.