github.com/shogo82148/std@v1.22.1-0.20240327122250-4e474527810c/cmd/go/internal/modget/get.go (about) 1 // Copyright 2018 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package modget implements the module-aware “go get” command. 6 package modget 7 8 import ( 9 "github.com/shogo82148/std/cmd/go/internal/base" 10 ) 11 12 var CmdGet = &base.Command{ 13 14 UsageLine: "go get [-t] [-u] [-v] [build flags] [packages]", 15 Short: "add dependencies to current module and install them", 16 Long: ` 17 Get resolves its command-line arguments to packages at specific module versions, 18 updates go.mod to require those versions, and downloads source code into the 19 module cache. 20 21 To add a dependency for a package or upgrade it to its latest version: 22 23 go get example.com/pkg 24 25 To upgrade or downgrade a package to a specific version: 26 27 go get example.com/pkg@v1.2.3 28 29 To remove a dependency on a module and downgrade modules that require it: 30 31 go get example.com/mod@none 32 33 To upgrade the minimum required Go version to the latest released Go version: 34 35 go get go@latest 36 37 To upgrade the Go toolchain to the latest patch release of the current Go toolchain: 38 39 go get toolchain@patch 40 41 See https://golang.org/ref/mod#go-get for details. 42 43 In earlier versions of Go, 'go get' was used to build and install packages. 44 Now, 'go get' is dedicated to adjusting dependencies in go.mod. 'go install' 45 may be used to build and install commands instead. When a version is specified, 46 'go install' runs in module-aware mode and ignores the go.mod file in the 47 current directory. For example: 48 49 go install example.com/pkg@v1.2.3 50 go install example.com/pkg@latest 51 52 See 'go help install' or https://golang.org/ref/mod#go-install for details. 53 54 'go get' accepts the following flags. 55 56 The -t flag instructs get to consider modules needed to build tests of 57 packages specified on the command line. 58 59 The -u flag instructs get to update modules providing dependencies 60 of packages named on the command line to use newer minor or patch 61 releases when available. 62 63 The -u=patch flag (not -u patch) also instructs get to update dependencies, 64 but changes the default to select patch releases. 65 66 When the -t and -u flags are used together, get will update 67 test dependencies as well. 68 69 The -x flag prints commands as they are executed. This is useful for 70 debugging version control commands when a module is downloaded directly 71 from a repository. 72 73 For more about modules, see https://golang.org/ref/mod. 74 75 For more about using 'go get' to update the minimum Go version and 76 suggested Go toolchain, see https://go.dev/doc/toolchain. 77 78 For more about specifying packages, see 'go help packages'. 79 80 This text describes the behavior of get using modules to manage source 81 code and dependencies. If instead the go command is running in GOPATH 82 mode, the details of get's flags and effects change, as does 'go help get'. 83 See 'go help gopath-get'. 84 85 See also: go build, go install, go clean, go mod. 86 `, 87 } 88 89 var HelpVCS = &base.Command{ 90 UsageLine: "vcs", 91 Short: "controlling version control with GOVCS", 92 Long: ` 93 The 'go get' command can run version control commands like git 94 to download imported code. This functionality is critical to the decentralized 95 Go package ecosystem, in which code can be imported from any server, 96 but it is also a potential security problem, if a malicious server finds a 97 way to cause the invoked version control command to run unintended code. 98 99 To balance the functionality and security concerns, the 'go get' command 100 by default will only use git and hg to download code from public servers. 101 But it will use any known version control system (bzr, fossil, git, hg, svn) 102 to download code from private servers, defined as those hosting packages 103 matching the GOPRIVATE variable (see 'go help private'). The rationale behind 104 allowing only Git and Mercurial is that these two systems have had the most 105 attention to issues of being run as clients of untrusted servers. In contrast, 106 Bazaar, Fossil, and Subversion have primarily been used in trusted, 107 authenticated environments and are not as well scrutinized as attack surfaces. 108 109 The version control command restrictions only apply when using direct version 110 control access to download code. When downloading modules from a proxy, 111 'go get' uses the proxy protocol instead, which is always permitted. 112 By default, the 'go get' command uses the Go module mirror (proxy.golang.org) 113 for public packages and only falls back to version control for private 114 packages or when the mirror refuses to serve a public package (typically for 115 legal reasons). Therefore, clients can still access public code served from 116 Bazaar, Fossil, or Subversion repositories by default, because those downloads 117 use the Go module mirror, which takes on the security risk of running the 118 version control commands using a custom sandbox. 119 120 The GOVCS variable can be used to change the allowed version control systems 121 for specific packages (identified by a module or import path). 122 The GOVCS variable applies when building package in both module-aware mode 123 and GOPATH mode. When using modules, the patterns match against the module path. 124 When using GOPATH, the patterns match against the import path corresponding to 125 the root of the version control repository. 126 127 The general form of the GOVCS setting is a comma-separated list of 128 pattern:vcslist rules. The pattern is a glob pattern that must match 129 one or more leading elements of the module or import path. The vcslist 130 is a pipe-separated list of allowed version control commands, or "all" 131 to allow use of any known command, or "off" to disallow all commands. 132 Note that if a module matches a pattern with vcslist "off", it may still be 133 downloaded if the origin server uses the "mod" scheme, which instructs the 134 go command to download the module using the GOPROXY protocol. 135 The earliest matching pattern in the list applies, even if later patterns 136 might also match. 137 138 For example, consider: 139 140 GOVCS=github.com:git,evil.com:off,*:git|hg 141 142 With this setting, code with a module or import path beginning with 143 github.com/ can only use git; paths on evil.com cannot use any version 144 control command, and all other paths (* matches everything) can use 145 only git or hg. 146 147 The special patterns "public" and "private" match public and private 148 module or import paths. A path is private if it matches the GOPRIVATE 149 variable; otherwise it is public. 150 151 If no rules in the GOVCS variable match a particular module or import path, 152 the 'go get' command applies its default rule, which can now be summarized 153 in GOVCS notation as 'public:git|hg,private:all'. 154 155 To allow unfettered use of any version control system for any package, use: 156 157 GOVCS=*:all 158 159 To disable all use of version control, use: 160 161 GOVCS=*:off 162 163 The 'go env -w' command (see 'go help env') can be used to set the GOVCS 164 variable for future go command invocations. 165 `, 166 }