[BUG] v1.5.2 checksum mismatch

Question

[BUG] v1.5.2 checksum mismatch

Opened this issue 5 months ago · 5 comments

Deleted user commented 5 months ago

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

The module checksum for v1.5.2 in this repository does not match the checksum recorded in Go's checksum database.

Expected Behavior

No checksum mismatch.

Steps To Reproduce

Run the following commands to observe the security error:

mkdir fail
cd fail
go mod init fail.com
go clean --modcache
GOPROXY=direct go get github.com/gorilla/websocket@v1.5.2

Anything else?

https://go.dev/ref/mod#authenticating

Answer 1 · 2024-06-12T15:35:36.000Z

I can't believe I observe this happening with the project I love...

Dear maintainers, never remove tags. It's the second time you do this.

Answer 2 · 2024-06-12T21:51:13.000Z

Thanks for bringing this to my attention, I’ll discuss with the other maintainers.

Answer 3 · 2024-06-14T03:25:33.000Z

Thanks for pointing this out - coincidentally we just cut release https://github.com/gorilla/websocket/releases/tag/v1.5.3 which should be stable.

Answer 4 · 2024-06-14T03:50:47.000Z

It is recommended to add time to the pre-release version and retain it. If you delete the version directly, it will cause the go get operation to fail.

Answer 5 · 2024-06-14T06:51:41.000Z

Consider retracting v1.5.2 - https://go.dev/ref/mod#go-mod-file-retract