Description
Proposal Details
I recently released a bad version of a library I maintain, and used the "retract" feature for the first time.
I expected that running 'go mod tidy' would check for retracted versions, and was surprised to learn it doesn't. 'go get ./...' will check for retracted versions, and emit a warning (but still return a 0 exit code).
go: warning: github.com/segmentio/stats/[email protected]: retracted by module author: this version contains an error that truncates metric, tag, and field names
go: to switch to the latest unretracted version, run:
go get github.com/segmentio/stats/v5@latestThe proposal is to have 'go mod tidy' output the same error text as 'go get ./...' if you try to import a retracted version. More broadly, you should be able to run a Go command in your CI environment that will fail the build if you import a retracted dependency, the same way e.g. go vet ./... will return a non-zero exit code if you fail a vet check.
Other UX issues
When I posted about this in the #modules channel of Gopher slack, someone suggested I should use govulncheck to check for retracted versions. This doesn't work, or, only flags retracted versions that are also tied to a security vulnerability in some other database.
No frontier LLM (Claude 4, ChatGPT o3, Google Gemini 2.5) suggests using the Go native tooling provided by 'go get' for checking this - they all suggest running e.g.
go list -m -json all | jq 'select(.Retracted == true)' # Gemini
retracted=$(go list -m -retracted -f '{{if .Retracted}}{{.Path}}@{{.Version}}{{end}}' all 2>/dev/null | grep -v "^$" || true) # Claude
Both of these anecdotes suggest substantial trouble with using the redaction API in the "correct" way.