otel dependencies are aged | Dagger | Page 1

shy compass Jan 2, 2025, 5:21 PM

#

I recently did a go mod update, and this updated otel/log to v0.9.0. This broke all of dagger. Is there a plan to keep upstream dependencies up to date? this seems like an important thing to do, e.g. for dependencies with vulnerabilities.

#

➜ go mod why go.opentelemetry.io/otel/log
# go.opentelemetry.io/otel/log
ghe.metrumrg.com/metworx/core/magefiles
dagger.io/dagger
dagger.io/dagger/internal/engineconn
dagger.io/dagger/telemetry
go.opentelemetry.io/otel/log

sullen wren Jan 3, 2025, 3:37 AM

#

I believe those dependencies are updated at each release of the dagger go sdk. What version of dagger are you using?

otel libraries are famously unstable and tend to break without warning. So in this case it's not necessarily a good idea to blindly update

shy compass Jan 3, 2025, 3:44 AM

#

I had a go get script in mage that pulls and updates deps. I modified it today to only updated Required packages, not //indirect ones.

#

This is why I isolate magefiles into its own package in our monorepo

mental badger Jan 5, 2025, 12:58 PM

#

I resolved to pin otel modules with replaces in our monorepo

shy compass Jan 6, 2025, 2:28 AM

#

in my case, I'm isolated with my magefiles also being its own go module

sullen wren Jan 6, 2025, 2:41 AM

#

@mystic glen 👋 might be of interest to you

#otel dependencies are aged