go mod tidy flags `golang.org/x/vuln/vulncheck` as problematic
atc0005 opened this issue · comments
From the /tools
path:
$ go mod tidy
go: downloading golang.org/x/vuln v0.0.0-20230313161840-8a73a7e4f203
go: finding module for package golang.org/x/vuln/vulncheck
github.com/atc0005/go-ci/tools imports
golang.org/x/vuln/vulncheck: module golang.org/x/vuln@latest found (v0.0.0-20230313161840-8a73a7e4f203), but does not contain package golang.org/x/vuln/vulncheck
I had a clue that something was off while reviewing the changes from #948:
diff --git a/tools/go.mod b/tools/go.mod
index 0d65ee1..ee2d480 100644
--- a/tools/go.mod
+++ b/tools/go.mod
@@ -8,7 +8,7 @@ require (
github.com/fatih/errwrap v1.5.0
// golangci-lint - intended as a primary linter
- github.com/golangci/golangci-lint v1.51.2
+ github.com/golangci/golangci-lint v1.52.0
// httperroryzer - provided as an optional linter
github.com/orijtech/httperroryzer v0.0.1
@@ -19,10 +19,6 @@ require (
// tomll - provided as an optional linter
github.com/pelletier/go-toml/v2 v2.0.7
- // govulncheck - provided as an optional vulnerability analyzer
- // https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck?tab=versions
- golang.org/x/vuln v0.0.0-20230313161840-8a73a7e4f203
-
// staticcheck - intended as a primary linter
honnef.co/go/tools v0.4.3
@@ -49,7 +45,7 @@ require (
github.com/dave/dst v0.27.0 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
- github.com/fatih/color v1.14.1 // indirect
+ github.com/fatih/color v1.15.0 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/go-git/gcfg v1.5.0 // indirect
github.com/go-git/go-billy/v5 v5.4.1 // indirect
@@ -74,7 +70,6 @@ require (
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
- github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/rogpeppe/go-internal v1.9.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -100,7 +95,7 @@ require (
golang.org/x/net v0.8.0 // indirect
golang.org/x/sys v0.6.0 // indirect
golang.org/x/text v0.8.0 // indirect
- golang.org/x/tools v0.6.1-0.20230217175706-3102dad5faf9 // indirect
+ golang.org/x/tools v0.7.0 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
In that case the golang.org/x/vuln
entry was removed entirely.
golang.org/x/vuln/vulncheck: module golang.org/x/vuln@latest found (v0.0.0-20230313161840-8a73a7e4f203), but does not contain package golang.org/x/vuln/vulncheck
From https://pkg.go.dev/golang.org/x/vuln/vulncheck:
This package is not in the latest version of its module.
Screenshot:
Sounds like the package has been moved or renamed.