Skip to content

fix: add dedicated go.mod for /v2 to fix /v2 imports#4370

Closed
TylerGillson wants to merge 2 commits into
dexidp:masterfrom
TylerGillson:fix/v2-import
Closed

fix: add dedicated go.mod for /v2 to fix /v2 imports#4370
TylerGillson wants to merge 2 commits into
dexidp:masterfrom
TylerGillson:fix/v2-import

Conversation

@TylerGillson
Copy link
Copy Markdown

@TylerGillson TylerGillson commented Oct 15, 2025
edited
Loading

Overview

Applies the major version subdirectory approach to fixing dex's currently broken usage of major version release tags without a corresponding major version in go.mod.

This approach maintains backward compatibility with current projects importing pseudo versions.

What this PR does / why we need it

Closes #4222

Special notes for your reviewer

govulncheck should stop flagging https://pkg.go.dev/vuln/GO-2024-2476#versions-note once this is merged and a new release is published.

@TylerGillson
fix: add dedicated go.mod for /v2 to fix /v2 imports while maintainin…
ed6fc9f 
…g backward compatibility

Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>
@kulaginds
Copy link
Copy Markdown

kulaginds commented Oct 31, 2025

@nabokihms Hi! Can you review this simple PR which fixed go mod v2 compatibility?

@TylerGillson
Copy link
Copy Markdown
Author

TylerGillson commented Apr 23, 2026

Hey @nabokihms. Is there anything I can do to move this forward?

@nabokihms
Copy link
Copy Markdown
Member

nabokihms commented Apr 23, 2026

@TylerGillson I will test this PR, missed it completely. If standard go tooling works from the root, it seems ok, but maybe we need just to migrate imports... I will test and return back with the verdict.

@nabokihms
Copy link
Copy Markdown
Member

nabokihms commented Apr 23, 2026

Ok, I tested. It seems like we cannot move forward with this PR.

  1. How do we keep both go.mod files in sync? Probably, we do not need to because it is a fake gomod, but it confuses users
  2. How will Dependabot work? It should probably update the main go mod and skip the /v2
  3. Imports like github.com/dexidp/dex/v2/server still do not work, because v2 is just a stub

If we want to properly solve the problem with v2, I would like to solve it the right way, but it is a big breaking change for many

@TylerGillson
Copy link
Copy Markdown
Author

TylerGillson commented Apr 23, 2026

@nabokihms you’re right.. my apologies. I’ll close this PR. A v2/go.mod without packages under v2/ doesn’t fix github.com/dexidp/dex/v2/... imports and doesn't add any value. I misunderstood the Go major version subdirectory guidance.

The root issue here is that dex uses v2.x tags on the github.com/dexidp/dex root module, which doesn't end with v2. This results in +incompatible Go imports and the vulnerability flagging I originally raised.

There are three options:

  1. Keep the current module path, but revert the latest release to the v1.x tag line.
  2. Add a proper github.com/dexidp/dex/v2 module with all code under v2/ and update all imports (large, breaking change).
  3. Do nothing 😢

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind/enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

import of v2 dex release versions fails due to no /v2 in module name

3 participants

@TylerGillson @kulaginds @nabokihms