Can't use the master version of a package

[pierrre]

dep status shows:

PROJECT                           CONSTRAINT     VERSION        REVISION  LATEST   PKGS USED
...
github.com/gorilla/context        branch master  v1.1           1ea2538   08b5f42  1
...

Gopkg.toml

...
[[dependencies]]
  branch = "master"
  name = "github.com/gorilla/context"
...

Gopkg.lock

...
[[projects]]
  name = "github.com/gorilla/context"
  packages = ["."]
  revision = "1ea25387ff6f684839d82767c1733ff4d4d15d0a"
  version = "v1.1"
...

After I run dep ensure --update, this package still doesn't use the latest version.
Am I doing something wrong, or is it a bug ?

Thanks

[carolynvs]

I'm having trouble reproducing this. Does this look like what you have? If you are working from a public repo, that would help reproduce.

original Gopkg.toml

[[dependencies]]
  branch = "master"
  name = "github.com/gorilla/context"

original Gopkg.lock

memo = "395afa48a6fc987f195bf0c62dfb8b07579932e9aa5bf76884d68e49c1f28712"

[[projects]]
  name = "github.com/gorilla/context"
  packages = ["."]
  revision = "1ea25387ff6f684839d82767c1733ff4d4d15d0a"
  version = "v1.1"

Update

dep ensure -update

final Gopkg.lock

memo = "395afa48a6fc987f195bf0c62dfb8b07579932e9aa5bf76884d68e49c1f28712"

[[projects]]
  branch = "master"
  name = "github.com/gorilla/context"
  packages = ["."]
  revision = "08b5f424b9271eedf6f9f0ce86cb9396ed337a42"

$ dep status
PROJECT                     CONSTRAINT     VERSION        REVISION  LATEST   PKGS USED
github.com/gorilla/context  branch master  branch master  08b5f42   08b5f42  1

[sdboyer]

@pierrre I'm guessing that, for your project, github.com/gorilla/context is probably a transitive dependency, not a direct one? Constraints given in a project's manifest are only applied if the dependent project is actually imported.

[pierrre]

@sdboyer yes, my direct dependency is github.com/gorilla/mux.
Is there a reason why I can't use a constraint for a transitive dependency ?
If I remember correctly, Composer (PHP package manager) allows it.

@carolynvs no sorry, it's a private repository.
In my code I just use github.com/gorilla/mux.

[sdboyer]

@pierrre If your constraint was the master branch, it never should've been able to produce that lock in the first place, and it certainly shouldn't persist after a dep ensure. It's unfortunately hard to say more without being able to look at the project directly. However, if you could paste the output of dep hash-inputs here, that would help.

[sdboyer]

(feel free to redact the contents as needed)

[pierrre]

@sdboyer

-CONSTRAINTS-
github.com/<redacted>/golang-libraries
b-master
github.com/getsentry/raven-go
b-master
github.com/gorilla/mux
b-master
github.com/pkg/errors
b-master
github.com/streadway/amqp
b-master
-IMPORTS/REQS-
github.com/<redacted>/golang-libraries/pkg1
github.com/<redacted>/golang-libraries/pkg2
github.com/<redacted>/golang-libraries/pkg3
github.com/<redacted>/golang-libraries/pkg4
github.com/<redacted>/golang-libraries/pkg5
github.com/<redacted>/golang-libraries/pkg6
github.com/<redacted>/golang-libraries/pkg7
github.com/<redacted>/golang-libraries/pkg8
github.com/<redacted>/golang-libraries/pkg9
github.com/getsentry/raven-go
github.com/gorilla/mux
github.com/pkg/errors
github.com/streadway/amqp
-IGNORES-
-OVERRIDES-
-ANALYZER-
dep
1

Full Gopkg.toml

[[dependencies]]
  branch = "master"
  name = "github.com/<redacted>/golang-libraries"

[[dependencies]]
  branch = "master"
  name = "github.com/certifi/gocertifi"

[[dependencies]]
  branch = "master"
  name = "github.com/getsentry/raven-go"

[[dependencies]]
  branch = "master"
  name = "github.com/gorilla/context"

[[dependencies]]
  branch = "master"
  name = "github.com/gorilla/mux"

[[dependencies]]
  branch = "master"
  name = "github.com/pkg/errors"

[[dependencies]]
  branch = "master"
  name = "github.com/streadway/amqp"

Full Gopkg.lock

memo = "2fc1b4ded414adf615239746d64b3205021f89b0ef6e7275631d92a3ae189896"

[[projects]]
  branch = "master"
  name = "github.com/<redacted>/golang-libraries"
  packages = ["pkg1","pkg2","pkg3","pkg4","pkg5","pkg6","pkg7","pkg8","pkg9"]
  revision = "1f90f4068b30bb5dc0e31d09b46622848e27b3f7"

[[projects]]
  name = "github.com/certifi/gocertifi"
  packages = ["."]
  revision = "03be5e6bb9874570ea7fb0961225d193cbc374c5"
  version = "2017.01.23"

[[projects]]
  branch = "master"
  name = "github.com/getsentry/raven-go"
  packages = ["."]
  revision = "b68337dbf03e7fbb53d9fd9b63fd09b28e8f13f7"

[[projects]]
  name = "github.com/gorilla/context"
  packages = ["."]
  revision = "1ea25387ff6f684839d82767c1733ff4d4d15d0a"
  version = "v1.1"

[[projects]]
  branch = "master"
  name = "github.com/gorilla/mux"
  packages = ["."]
  revision = "599cba5e7b6137d46ddf58fb1765f5d928e69604"

[[projects]]
  branch = "master"
  name = "github.com/pkg/errors"
  packages = ["."]
  revision = "ff09b135c25aae272398c51a07235b90a75aa4f0"

[[projects]]
  branch = "master"
  name = "github.com/streadway/amqp"
  packages = ["."]
  revision = "afe8eee29a74d213b1f3fb2586058157c397da60"

@carolynvs Should I also try to write a small project in a public repository ?
i'm just using the latest gorilla/mux.

[sdboyer]

@pierrre looks like your direct dependency is github.com/gorilla/mux (so your constraint is respected), but not github.com/gorilla/context (so your constraint is not respected).

And, I forgot to address your question earlier about why Composer works differently - it's because in Composer (and every other system I'm aware of), the manifest is responsible for both the concept of "REQUIREMENT" and "CONSTRAINT". In dep, the manifest is only responsible for "CONSTRAINT" - the import graph dictates "REQUIREMENT." We believe this to a be a positive thing, in general, as it means less need to futz with the manifest during the course of normal development. However, between that and the difference between package and project, absurd situations arise if we don't limit the scope of constraints to direct dependencies of a project.

If you absolutely need to specify the constraint of a transitive dep from your own project, you have two options:

1. Specify the constraint on github.com/gorilla/context via an override. Overrides apply globally, but are a power only given to the root project, so if anything else imports your project, the override won't be used.
2. Mark github.com/gorilla/context as a required package in the manifest. This will cause it to be treated as a direct dependency, and your constraint will come into effect.

However, before taking either of those steps, I'd say it's worth asking if you actually need to use master of github.com/gorilla/context. I imagine it's imported by github.com/gorilla/mux - and if that package is OK with using the tagged release instead of master (which is the preferred mode of operation anyway), then maybe that should be good enough for you? If you really needed something out of github.com/gorilla/context, then you'd probably be importing it directly and doing something with it - no?

[pierrre]

Thank you for your detailed explanation.
It solves my problem.

I was trying to migrate one of my projects to dep.
I'm currently using godep with this logic:

• update dependencies (direct and transitive) in my $GOPATH to their latest version
• copy dependencies to my project with godep

I didn't understand why I couldn't update transitive dependencies to the latest available version.