Potential collision and risk from indirect dependence "github.com/gotestyourself/gotestyourself"

[KateGo520]

Background

Repo ystia/yorc used the old path to import gotestyourself indirectly.
This caused that github.com/gotestyourself/gotestyourself and gotest.tools coexist in this repo：
https://github.com/ystia/yorc/blob/develop/go.mod （Line 52 & 118）

github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
gotest.tools v2.2.0+incompatible // indirect 

That’s because the gotestyourself has already renamed it’s import path from "github.com/gotestyourself/gotestyourself" to "gotest.tools". When you use the old path "github.com/gotestyourself/gotestyourself" to import the gotestyourself, will reintroduces gotestyourself through the import statements "import gotest.tools" in the go source file of gotestyourself.

https://github.com/gotestyourself/gotest.tools/blob/v2.2.0/fs/example_test.go#L8

package fs_test
import (
	…
	"gotest.tools/assert"
	"gotest.tools/assert/cmp"
	"gotest.tools/fs"
	"gotest.tools/golden"
)

"github.com/gotestyourself/gotestyourself" and "gotest.tools" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

Add replace statement in the go.mod file:

replace github.com/gotestyourself/gotestyourself => gotest.tools v2.3.0

Then clean the go.mod.

[KateGo520]

@stebenoist @loicalbertin Could you help me review this issue? Thx :p

[loicalbertin]

Hi @KateGo520,

Thanks for opening this issue!

Repositories renaming is such painful for users!

Are you actually facing an issue on Yorc or is this really just about potential risks & problems?

Actually this dependency is transitively coming from a old version of Hashicorp Vault itself using an old version of github.com/ory/dockertest.

Using

replace github.com/gotestyourself/gotestyourself => gotest.tools v2.2.0

Is not that simple as we will face the pkg used for two different module paths issue so we will probably need to replace to another version like

replace github.com/gotestyourself/gotestyourself => gotest.tools v2.3.0

In fact github.com/ory/dockertest recently fixes in its v3 the issue by now using gotest.tools/v3.
To properly fix this, Vault should be updated to use github.com/ory/dockertest/v3 and we should upgrade to a newer version of Vault (which is planned in #619).

[KateGo520]

Thank you for your reply! @loicalbertin
Updating to a newer version of Vault sounds good to me.