01 Introduction
Golang 1.16 has been officially released, with some changes to Modules:
- Modules is enabled by default.
- Not automatically modified and .
- Install a specific version of the executable file by specifying the @version suffix.
- Added a retract directive to withdraw the Module version.
- Use the new configuration variable GOVCS to specify that a specific module uses a specific version control tool.
golang 1.16 Modules is enabled by default, even if it does not existThe Go command will now also be inmodule-awareBuild packages in (module aware) mode.
In golang 1.16, close by settingGO111MODULEEnvironment variables,GOPATHBuild packages in mode is still possible. You can alsoGO111MODULESet asautoso that it exists in the current directory or in any parent directoryEnable when filemodule-aware(Module Awareness) mode. You can also usego env -wPermanent settingGO111MODULEand other variables,:
goenv-wGO111MODULE=auto
Go official plan isGo 1.17Give upGOPATHMode support. in other words,Go 1.17Will be ignoredGO111MODULE. If your project is not heremodule-awareBuilt in (module aware) mode, now is the time to migrate tomodule-aware(Module Awareness) mode.
03Do not modify and
In versions prior to golang 1.16, when the go command was discoveredorIf there is a problem, if it is missingrequireInstructions or missingsum, it will try to solve the problem automatically. Go official received a lot of feedback, and this behavior is surprising, especially for go commands, such asgo list, usually without side effects. Automatic repair is not always desirable: If any required module does not provide imported packages, the Go command will add new dependencies, which may trigger an upgrade of common dependencies. Even if the input path is misspelled, it can lead to (failed) network lookup.
In golang 1.16,module-aware(Module Awareness) commandorReport an error after discovering the problem, rather than trying to solve the problem automatically. In most cases, the suggested commands are listed in the error message to resolve the issue, such as:
$ go build :3:8: no required module provides package /x/net/html; to add it: go get /x/net/html $ go get /x/net/html $ go build
golang 1.16 is the same as before Go, ifvendorThe directory exists, and the Go command may be usedvendorTable of contents.go getandgo mod tidyThe command is still modifiedand, because their main purpose is to manage dependencies.
04 Install a specific version of the executable file by specifying the @version suffix
go installThe command can now be specified by@versionSuffix installs a specific version of the executable file, for example:
go install /x/tools/[email protected]
If using@versionsuffix,go installThe command uses this exact Module version, ignoring any in the current directory and the parent directoryThe Module version in the file.
If not@versionsuffix,go installContinue to run because it has always been built using the current moduleThe versions listed in the file are listed in the requirements list and the replacements list.
To eliminate the ambiguity of which version to use, use this installation syntaxgo install program@latestThere may be several restrictions in the Go program file. In particular, at least not allowed at this timereplaceandexcludeinstruction. In the long run, once newgo install program@versionOn the premise that it works well in most usage situations, Go officially plans to make it in a future versiongo getThe command stops the installation of binary files.
05Add a new retract command to withdraw Module version
Did you accidentally release the module version before it is ready? Or, did you find a problem after releasing a version that needs a quick fix? Errors in published versions are difficult to correct. In order to maintain the certainty of module generation, the version cannot be modified after it is released. Even if you delete or change the version tag,and other agents may already have the original cache.
Module authors can now useIn-houseretractDirective retract module version. The version of retract is still there and can be downloaded (so that the build that depends on it will not break), but the go command is solving@latestIt will not be automatically selected when waiting for the version.go getandgo list -m -uA warning about an existing purpose is printed.
For example, suppose that a popular library author/libRelease v1.0.5 and then discover a new security issue. They can add directives to theirFiles, for example:
//-2021-01234.
retractv1.0.5
Next, the author can tag and push version v1.0.6, the new highest version. After this, users who already rely on v1.0.5 will receive a revocation notification when checking for updates or upgrading dependent packages. The notification message may include text that retrieves the comment above the instruction. For example:
$ go list -m -u all /lib v1.0.0 (retracted) $ go get . go: warning: /[email protected]: retracted by module author: Remote-triggered crash in package foo. See CVE-2021-01234. go: to switch to the latest unretracted version, run: go get /lib@latest
06Use new configuration variables GOVCS to specify specific modules to use specific version control tools
The go command can be from the mirrorOr download the module source code directly from the version control repository, using git, hg, svn, bzr, or fossil. Direct version control access is important, especially for private modules that are not available on the proxy, but it can also be a security issue: errors in version control tools can be exploited by malicious servers to run malicious code.
Go 1.16 introduces a new configuration variable, GOVCS, which allows users to specify which modules allow specific version control tools. GOVCS accepts a comma-separated list of patterns: vcslist rules.
The pattern is one. Match pattern matches one or more major elements of the module path. Public and private special patterns match public and private modules (private is defined as modules that match patterns in GOPRIVATE; public is everything else). vcslist is a pipeline-separated list that allows version control commands or keywords all or off. For example:
GOVCS=:git,:off,*:git|hg
With this setting, you can use git to download it withThe module of the path; cannot be downloaded using any version control commandspath on, download all other paths using git or hg (*Match all contents) module.
If the environment variable GOVCS is not set, or if the module does not match any pattern, the Go command will use the default values of GOVCS: allow git and hg for public modules, and allow all tools for private modules.
The reason why setting only Git and Mercurial is that these two version control tools are most concerned with running as clients of untrusted servers. By contrast, Bazaar, Fossil and Subversion are primarily used in trusted, proven environments and are not well scrutinized like attack surfaces. That is, the default setting is:
GOVCS=public:git|hg,private:all
07Module Future Development
We hope you find these features useful. We have started developing module features for Go 1.17, especially lazy module loading, which should make the module loading process faster and more stable.
08 Summary
This article mainly introduces some changes made by Golang 1.16 for Module. Through these official Module changes from Go, the actual problems of Go users when using Go are effectively solved. Go official also said it will plan to completely remove it in Golang 1.17GOPATHmode, so if your project has not been moved to Module mode at this time, it is time to start migrating.
This is the article about the main changes and updates of Modules in Golang 1.16. For more information about changes in Golang Modules, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!