First stable version of several package under golang.org/x/

[Michel Levieux]

Hi all,

I was bumping the dependencies of our codebase today, and noticed that many packages under golang.org/x/ had upgraded from a pseudo-version to a real, semver version:

-   golang.org/x/net v0.0.0-20220927171203-f486391704dc // indirect

-    golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7 // indirect

-   golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec // indirect

-   golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect

+   golang.org/x/net v0.1.0 // indirect

+    golang.org/x/sync v0.1.0 // indirect

+   golang.org/x/sys v0.1.0 // indirect

+   golang.org/x/time v0.1.0 // indirect

...and others. Is there something we should be aware of concerning this upgrade? I've seen no announcement everywhere I've been looking, which makes me suppose there's nothing very interesting going on there but that surprised me.

If anyone has more information, I'll gladly take it! Thanks!

[Heschi Kreinick]

Yeah, text and tools were already tagged back from https://go.dev/blog/path-security, and we've started tagging some other golang.org/x repositories now. They'll be tagged every month or so if they have changes, and their dependencies on each other will be upgraded.

Note that so far these are all v0 versions, so they're not necessarily stable as you said in your subject. No stability promises have changed as a result of these tags. That said, now that we have a process for automatic tagging, some repositories may be more likely to tag to a stable version. See https://go.dev/issue/56325.

I didn't think this change warranted an announcement, but I'll discuss it and maybe reconsider. Thanks.

[Michel Levieux]

Thank you for the detailed answer! Indeed this may not warrant any announcement, just wanted to be sure I wasn't missing something! :sweat_smile:

I'll follow that closely.

Thanks!