Can you release a new v4 of this library without the dependency on github.com/dgrijalva/jwt-go?
flori opened this issue · 4 comments
Otherwise it's really difficult to get rid of the unsecure github.com/dgrijalva/jwt-go indrect dependency of this library without replacing it in the go.mod file.
I found out what the cause of the problem was now. I was importing "github.com/Scalingo/go-scalingo" as shown in the README.md file. go mod resolves this to "github.com/Scalingo/go-scalingo v4.7.2+incompatible" in the go.mod file, that is all subsequent versions weren't upgraded to. It only works if I import "github.com/Scalingo/go-scalingo/v4" instead and it will be resolved to v4.15.1 which is actually the newest version. It's probably not a coincidence that the version after v4.7.2 namely v4.8.0 is the one in which you migrated to go mod. I am not sure if everybody now has to import "github.com/Scalingo/go-scalingo/v4" or if it's possible to have the old "github.com/Scalingo/go-scalingo" resolve to the newest release again. Maybe there's somehting in this totally not confusing document https://github.com/golang/go/wiki/Modules#releasing-modules-v2-or-higher on how to do that.
Ooooooh OK I understand the confusion. I'm updating the README to limit the confusion. However we won't be able to make github.com/Scalingo/go-scalingo resolve the newest release, sorry. Using github.com/Scalingo/go-scalingo/v4 is mandatory.
Thx, I feared that every client has to use a new path now. The golang versioning always seemed to be a bit messy to me, let's hope that it will improve once everybode uses go mod.