On Monday, January 31, 2022 at 1:22:09 AM UTC-5 leig...@gmail.com wrote: > I'm a user of the sentry-go SDK who has been impacted by the large number > of dependencies in the past. > > >Independently, if your users have automated tools that are issuing > false-positive CVE warnings based on the module graph instead of the > package-import graph, you may want to suggest that they file issues against > those tools. > > Does using the package-import graph capture the full picture of how a > module impacts importers of the module. >
No. However, it does capture many of the properties relevant to build times, source code downloads, binary sizes, and security exposure, especially given https://go.dev/issue/44435 (a `go mod download` change coming in Go 1.18). > My understanding – maybe incorrect or out-dated – is that importing a > module still brings that modules complete dependency graph into the > dependency resolution process. Anyone using dependencies imported will be > limited by the minimum versions defined in sentry-go SDK or any transitive > dependency through sentry-go. Even if their go.mod is simpler on the > surface, an SDK with a large and far reaching dependency graph can still > impact other projects. > That is no longer the case for modules at `go 1.17` or higher, due to module graph pruning <https://go.dev/ref/mod#graph-pruning> taking effect at that version. If your module is at `go 1.17` or higher, then importing a package from a `go 1.17` or higher module only brings in one layer of that module's dependencies, plus the dependencies of any other packages that are added to your module's package-import graph as a result of that import. Bryan, is there a good example of how to use the go tool to provide details > of the package-import graph? I would normally use go mod graph and go mod > why which as I understand both are limited to the module graph. > `go mod why` does inspect the package-import graph — not the module graph — but admittedly only in a fairly limited way: it gives a path of package imports from your main module to the named package or (with the `-m` flag) module. In addition, there are some third-party tools built on top of `go list` (such as goda <https://github.com/loov/goda>) that can perform more detailed queries on the package-import graph. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/03ec91d8-780b-4861-bebb-2f3c7ff1bd49n%40googlegroups.com.
