Skip to content

Specifying Go minor version in go.mod forces users to upgrade their Go minor versions as well #1077

Closed
@arjan-bal

Description

@arjan-bal

In #1038. the Go major version was bumped to 1.22 AND the Go minor version was also specified. Quoting this comment from @ash2k:

The issue with specifying the patch version that is not 0 is that now all modules that import this module will have to use this or a newer version. There may be reasons people don't or cannot use the more recent patch version. FWIW I think a library shouldn't have an opinion on the patch version used.

An example of this - we use https://github.com/golang-fips/go/ to provide FIPS-compatible builds. Not all Go versions may be available there e.g. right now there is no 1.23.2. Go 1.22.7 was released 2024-09-05 but FIPS version was tagged 2024-09-27. If grpc-go released a CVE fix in the window of those 22 days, we wouldn't have been able to upgrade.

TL;DR this doesn't benefit grpc-go in any way but might hurt your users.

Due to user feedback, gRPC Go decided to drop the Go minor version in grpc/grpc-go#7831. However using the latest version of go-control-plane is re-introducing the minor version constraint: grpc/grpc-go#7974

Looking at #1038, it doesn't appear necessary to specify the minor version. I’d like to request that the minor version constraint be dropped.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions