I *think* I got to the bottom of this. It turns out the nrpe_exporter.go main module imports some non-vendored dependencies:
- github.com/aperum/nrpe - github.com/prometheus/client_golang/prometheus - github.com/prometheus/client_golang/prometheus/promhttp - github.com/prometheus/common/version That is: they are not in the vendor/ directory and they are not listed in vendor/vendor.json, and hence weren't imported into go.mod by go mod init. As a result, I believe that "go build" is fetching the latest versions of these packages, which in turn bump up dependencies of some of the other packages we also use. If that's true, then I think it would be really helpful if go build (-v) could flag when it decides to bump versions and show the reason, i.e. the chain of dependencies which resulted in this particular version being required. I showed the "go mod why" output before: it shows the dependency chain, but not where the version requirements came from. I think this has partially been raised already as https://github.com/golang/go/issues/27900 I can't see any versioning info from "go mod why". Again, starting with fresh go.mod: ubuntu@builder:~/nrpe_exporter$ egrep 'common|kingpin' go.mod github.com/prometheus/common v0.0.0-20170908161822-2f17f4a9d485 gopkg.in/alecthomas/kingpin.v2 v2.2.5 ubuntu@builder:~/nrpe_exporter$ go mod why *go: downloading gopkg.in/alecthomas/kingpin.v2 v2.2.5* *go: downloading github.com/prometheus/common v0.0.0-20170908161822-2f17f4a9d485* go: downloading github.com/go-kit/kit v0.5.1-0.20170917202734-0d313fb5fb3a go: finding github.com/aperum/nrpe latest *go: extracting gopkg.in/alecthomas/kingpin.v2 v2.2.5* go: downloading github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc go: downloading github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf *go: extracting github.com/prometheus/common v0.0.0-20170908161822-2f17f4a9d485* go: downloading github.com/pkg/errors v0.8.1-0.20170910134614-2b3a18b5f0fb go: extracting github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf go: extracting github.com/go-kit/kit v0.5.1-0.20170917202734-0d313fb5fb3a go: extracting github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc go: extracting github.com/pkg/errors v0.8.1-0.20170910134614-2b3a18b5f0fb go: downloading github.com/go-logfmt/logfmt v0.3.0 go: downloading github.com/go-stack/stack v1.6.0 go: extracting github.com/go-stack/stack v1.6.0 go: extracting github.com/go-logfmt/logfmt v0.3.0 # github.com/RobustPerception/nrpe_exporter github.com/RobustPerception/nrpe_exporter ubuntu@builder:~/nrpe_exporter$ egrep 'common|kingpin' go.mod github.com/prometheus/common v0.7.0 gopkg.in/alecthomas/kingpin.v2 v2.2.6 ubuntu@builder:~/nrpe_exporter$ go mod why github.com/prometheus/common # github.com/prometheus/common (main module does not need package github.com/prometheus/common) ubuntu@builder:~/nrpe_exporter$ go mod why gopkg.in/alecthomas/kingpin.v2 # gopkg.in/alecthomas/kingpin.v2 github.com/RobustPerception/nrpe_exporter gopkg.in/alecthomas/kingpin.v2 The first "go mod why" says "downloading gopkg.in/alecthomas/kingpin.v2 v2.2.5". But after it has finished, it has silently updated go.mod to depend on v2.2.6 instead. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/9f67a777-059f-482a-9aa6-349ead6f2e8e%40googlegroups.com.
