fix(go.mod): clean up to remove dependency on deleted or unmaintained repositories: mitchellh/osext & chenzhuoyu/iasm

[darccio]

What does this PR do?

Updates bytedance/sonic and confluentinc/confluent-kafka-go/v2 to avoid indirect references to two another libraries (mitchellh/osext, chenzhuoyu/iasm) that are no longer available or in bad shape.

Motivation

Found dd-trace-go compilation issues when pulling dependencies with GOPROXY=direct.

They seem to be supply chain issues, as the packages’ repositories have disappeared or been abandoned.

github.com/chenzhuoyu/iasm

After cloning dd-trace-go on a clean EC2 instance (AWS Linux 2023, Go installed using yum), this happens when running go mod tidy:

$ go mod tidy
go: downloading github.com/chenzhuoyu/iasm v0.9.0
go: github.com/bytedance/[email protected] requires
	github.com/chenzhuoyu/[email protected]: reading github.com/chenzhuoyu/iasm/go.mod at revision v0.9.0: unknown revision v0.9.0

The package github.com/chenzhuoyu/iasm is superseded by github.com/cloudwego/iasm. On top of that, the original repository doesn’t have that v0.9.0 tag.

To fix the error, we need to edit the go.mod to remove any reference to chenzhuoyu/* packages in go.mod, and to upgrade bytedance/sonic to the same version in Gin’s latest tagged release, as it’s an indirect dependency pulled in by gin-gonic/gin:

sed -i '/github.com\/chenzhuoyu\//d' go.mod
sed -i 's#github.com/bytedance/sonic v1.10.0#github.com/bytedance/sonic v1.12.0#' go.mod

github.com/mitchellh/osext

Running go mod tidy doesn’t end successfully after the previous edit, as there is another package broken: github.com/mitchellh/osext.

In this case, mitchellh/osext has disappeared. It’s unclear if it’s been deleted or set as private.

$ go mod tidy
go: github.com/confluentinc/confluent-kafka-go/[email protected] requires
	github.com/testcontainers/[email protected] requires
	github.com/containerd/[email protected] requires
	github.com/containerd/[email protected] requires
	github.com/containerd/[email protected] requires
	github.com/Microsoft/[email protected] requires
	github.com/containerd/[email protected] requires
	github.com/Microsoft/hcsshim/[email protected] requires
	github.com/docker/[email protected] requires
	github.com/mitchellh/[email protected]: invalid version: git ls-remote -q origin in /home/ec2-user/go/pkg/mod/cache/vcs/94ed57c5b21c953d93b47487113db43a5c9b69fd990329ec70dc77348c4dd443: exit status 128:
	fatal: could not read Username for 'https://github.com': terminal prompts disabled
Confirm the import path was entered correctly.
If this is a private repository, see https://golang.org/doc/faq#git_https for additional information.

The dependency comes from github.com/testcontainers/testcontainers-go, imported by github.com/confluentinc/confluent-kafka-go/v2. After multiple tests, we found that it’s required to upgrade the latter's version to a version that also upgrades testcontainers/testcontainers-go:

sed -i 's#confluentinc/confluent-kafka-go/v2 v2.2.0#confluentinc/confluent-kafka-go/v2 v2.4.0#' go.mod

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code.
• If this interacts with the agent in a new way, a system test has been added.
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild.
• For internal contributors, a matching PR should be created to the v2-dev branch and reviewed by @DataDog/apm-go.

Unsure? Have a question? Request a review!

[datadog-datadog-prod-us1]

Datadog Report

Branch report: dario.castane/gomod-supply-cleanup
Commit report: f84108e
Test service: dd-trace-go

✅ 0 Failed, 5185 Passed, 71 Skipped, 2m 55.12s Total Time

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-01-17 13:54:56

Comparing candidate commit 4c88276 in PR branch dario.castane/gomod-supply-cleanup with baseline commit 9a8062c in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 59 metrics, 0 unstable metrics.

[nsrip-dd]

FWIW I can get the same result with go mod commands, without using sed or otherwise manually editing the go.mod file:

go get github.com/bytedance/[email protected]
go get github.com/confluentinc/confluent-kafka-go/[email protected]
go mod tidy

[darccio]

FWIW I can get the same result with go mod commands, without using sed or otherwise manually editing the go.mod file:

In my case, go get consistently failed in the same way as go mod tidy. That's why I relied on sed and running go mod tidy afterwards. Thanks for the approval!