Prevent a package from being updated using go modules

[Pantelis Sampaziotis]

Hi,

I would like to ask if there is a functionality similar to apt-mark hold (which prevents package from being automatically installed, upgraded or removed) in go modules.

The case I have is that after updating a package from 1.2.2 to 1.3.0, a bug was introduced which can break the app in some cases edge cases (when parsing specific json responses) on runtime.

I want to lock down the version to 1.2.2 and make sure that this package is not updated when someone runs go get -u until the bug is fixed.

It seems the replace directive https://github.com/golang/go/wiki/Modules#when-should-i-use-the-replace-directive provides similar functionality:

replace github.com/vendor/package => github.com/vendor/package v1.2.2

Is this the correct way? Is there any other solution?

thank you

[Bryan Mills]

This sort of use-case is pretty much exactly what the exclude directive is for.

(See https://tip.golang.org/cmd/go/#hdr-The_go_mod_file.)

In your go.mod file, add a directive like:

exclude github.com/vendor/package v1.3.0

In the meantime, send a PR or file an issue with github.com/vendor/package to fix the bug.

Once it's fixed, you can run go get github.com/vendor/package@$COMMIT at whatever commit fixed the bug in order to upgrade past it; then you can remove the exclude directive.

[Pantelis Sampaziotis]

Thank you Bryan.