Update go dependencies

Makefile

@@ -151,8 +151,7 @@ admin_client_run: client_deps
 
 .PHONY: go_deps_update
 go_deps_update:
-	go get -u=patch -v
-	go mod tidy
+	go run cmd/update_deps/main.go
 
 .PHONY: check_gopath
 check_gopath: go_version .check_gopath.stamp
@@ -196,7 +195,7 @@ bin/rds-combined-ca-bundle.pem:
 .PHONY: server_deps
 server_deps: check_hosts check_gopath build_chamber build_soda build_callgraph get_gotools bin/rds-combined-ca-bundle.pem .server_deps.stamp
 .server_deps.stamp:
-	go build -i -ldflags "$(LDFLAGS)" -o bin/gosec github.com/securego/gosec/cmd/gosec
+#	go build -i -ldflags "$(LDFLAGS)" -o bin/gosec github.com/securego/gosec/cmd/gosec
 	go build -i -ldflags "$(LDFLAGS)" -o bin/gin github.com/codegangsta/gin
 	go build -i -ldflags "$(LDFLAGS)" -o bin/swagger github.com/go-swagger/go-swagger/cmd/swagger
 	touch .server_deps.stamp

cmd/update_deps/main.go

@@ -0,0 +1,81 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os/exec"
+	"time"
+
+	"github.com/rogpeppe/go-internal/modfile"
+	"github.com/rogpeppe/go-internal/semver"
+)
+
+// Use a custom branch for the following dependencies
+var customBranches = map[string]string{
+	"github.com/trussworks/pdfcpu": "afero",
+}
+
+// This program exists so that we can work around go mod's MVS behavior.
+// For each dependency listed in go.mod, this program will update that dependency
+// to either the latest released patch (using go get -u=patch) or the latest commit
+// on the master branch based on if we're currently using a tagged version or a
+// commit.
+//
+// There is a special case for pdfcpu, where we need to pull in the latest commit on a
+// non-master branch.
+func main() {
+	content, readErr := ioutil.ReadFile("go.mod")
+	if readErr != nil {
+		log.Fatal(readErr)
+	}
+
+	file, parseErr := modfile.Parse("go.mod", content, nil)
+	if parseErr != nil {
+		log.Fatal(parseErr)
+	}
+
+	for _, req := range file.Require {
+		fmt.Printf("%s", req.Mod.Path)
+
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		args := updateArgs(req)
+
+		out, cmdErr := exec.CommandContext(ctx, "go", args...).CombinedOutput()
+		if cmdErr != nil {
+			fmt.Println(" ×")
+			if ctx.Err() == context.DeadlineExceeded {
+				log.Fatalf("timed out trying trying to run %s %s", "go", args)
+			} else {
+				log.Fatalf("failed to update %s: ran %s %v, got %s", req.Mod.Path, "go", args, string(out))
+			}
+		}
+
+		cancel()
+		fmt.Println(" ✓")
+	}
+
+	if output, err := modTidy(); err != nil {
+		log.Fatalf("failed to run go mod tidy: got %s, error was %s", output, err)
+	}
+}
+
+func updateArgs(req *modfile.Require) []string {
+	if semver.Prerelease(req.Mod.Version) == "" {
+		// Use the latest patch release if we're already using a tagged release
+		return []string{"get", "-u=patch", req.Mod.Path}
+	}
+
+	branch := "master"
+	customBranch, ok := customBranches[req.Mod.Path]
+	if ok {
+		branch = customBranch
+	}
+
+	return []string{"get", req.Mod.Path + "@" + branch}
+}
+
+func modTidy() ([]byte, error) {
+	return exec.Command("go", "mod", "tidy").CombinedOutput()
+}

docs/README.md

@@ -21,6 +21,7 @@ If you are looking to understand choices made in this project, see the list of [
 * [display dates and times](how-to/display-dates-and-times.md#how-to-display-dates-and-times)
 * [Generate Mocks with Mockery](how-to/generate-mocks-with-mockery.md#how-to-generate-mocks-with-mockery)
 * [Instrument Data in Honeycomb](how-to/instrument-data-in-honeycomb.md#how-to-instrument-data-in-honeycomb)
+* [Manage Dependencies With go mod](how-to/manage-dependencies-with-go-mod.md#how-to-manage-dependencies-with-go-mod)
 * [Manage Docker Locally](how-to/manage-docker-locally.md#how-to-manage-docker-locally)
 * [Migrate the Database](how-to/migrate-the-database.md#how-to-migrate-the-database)
 * [revert a change](how-to/revert-a-change.md#how-to-revert-a-change)

docs/how-to/manage-dependencies-with-go-mod.md

@@ -0,0 +1,29 @@
+# How to Manage Dependencies With go mod
+
+[Go modules](https://github.com/golang/go/wiki/Modules) is the built-in dependency system provided by Go. It supersedes [dep](https://golang.github.io/dep/), which we previously used to manage Go dependencies.
+
+It's important to note that go mod uses a [different dependency resolution algorithm](https://github.com/golang/go/wiki/Modules#version-selection) than many other packaging tools. It will install _oldest_ indirect
+dependency (called _minimal version selection_) that will satisfy all direct dependencies, whereas other package managers will tend to install the _newest_.
+You can read more about the rationale behind this approach [in the original proposal](https://github.com/golang/proposal/blob/master/design/24301-versioned-go.md#update-timing--high-fidelity-builds).
+
+For the most part, a developer interacts with `go mod` using `go get`. The other go tools are likewise aware of how to work with go modules.
+
+## Update all go dependencies
+
+```console
+$ go get -u
+```
+
+## Update a specific dependency
+
+```console
+$ go get -u github.com/pkg/errors
+```
+
+## Update a specific dependency to a specific branch
+
+The following updates `github.com/pkg/errors` to the latest version available on the `master` branch:
+
+```console
+$ go get -u github.com/pkg/errors@master
+```

go.mod

@@ -4,94 +4,82 @@ go 1.12
 
 require (
 	github.com/0xAX/notificator v0.0.0-20181105090803-d81462e38c21 // indirect
-	github.com/99designs/aws-vault v0.0.0-20190131002258-305bcd142e1d
+	github.com/99designs/aws-vault v0.0.0-20190321042810-2bec5348b22f
 	github.com/99designs/keyring v0.0.0-20190110203331-82da6802f65f
-	github.com/aulanov/go.dbus v0.0.0-20150729231527-25c3068a42a0 // indirect
-	github.com/aws/aws-sdk-go v1.16.26
+	github.com/aws/aws-sdk-go v1.19.17
 	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
 	github.com/codegangsta/envy v0.0.0-20141216192214-4b78388c8ce4 // indirect
 	github.com/codegangsta/gin v0.0.0-20171026143024-cafe2ce98974
-	github.com/danieljoos/wincred v1.0.1 // indirect
+	github.com/danieljoos/wincred v1.0.2-0.20190202162700-b892d337201d // indirect
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/dustin/go-humanize v1.0.0
-	github.com/dvsekhvalnov/jose2go v0.0.0-20170216131308-f21a8cedbbae // indirect
 	github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a
 	github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51 // indirect
 	github.com/facebookgo/limitgroup v0.0.0-20150612190941-6abd8d71ec01 // indirect
 	github.com/facebookgo/muster v0.0.0-20150708232844-fd3d7953fd52 // indirect
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
 	github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870 // indirect
 	github.com/felixge/httpsnoop v1.0.0
-	github.com/go-gomail/gomail v0.0.0-20150902115704-41f357289737
-	github.com/go-ini/ini v1.41.0 // indirect
-	github.com/go-openapi/analysis v0.19.0 // indirect
+	github.com/go-gomail/gomail v0.0.0-20160411212932-81ebce5c23df
 	github.com/go-openapi/errors v0.19.0
-	github.com/go-openapi/inflect v0.19.0 // indirect
-	github.com/go-openapi/jsonpointer v0.18.0 // indirect
-	github.com/go-openapi/jsonreference v0.18.0 // indirect
 	github.com/go-openapi/loads v0.19.0
-	github.com/go-openapi/runtime v0.18.0
+	github.com/go-openapi/runtime v0.19.0
 	github.com/go-openapi/spec v0.19.0
-	github.com/go-openapi/strfmt v0.17.2
-	github.com/go-openapi/swag v0.17.2
-	github.com/go-openapi/validate v0.18.0
-	github.com/go-swagger/go-swagger v0.0.0-20190131051450-84485ed136c5
-	github.com/go-swagger/scan-repo-boundary v0.0.0-20180623220736-973b3573c013 // indirect
-	github.com/gobuffalo/buffalo-plugins v1.12.1 // indirect
-	github.com/gobuffalo/fizz v1.5.0 // indirect
-	github.com/gobuffalo/packr v1.21.0
-	github.com/gobuffalo/pop v4.9.6+incompatible
+	github.com/go-openapi/strfmt v0.19.0
+	github.com/go-openapi/swag v0.19.0
+	github.com/go-openapi/validate v0.19.0
+	github.com/go-swagger/go-swagger v0.19.1-0.20190418040917-7c42b9948129
+	github.com/gobuffalo/fizz v1.7.0 // indirect
+	github.com/gobuffalo/helpers v0.0.0-20190425165706-cddb8b03d1d1 // indirect
+	github.com/gobuffalo/nulls v0.0.0-20190305142546-85f3c9250d87 // indirect
+	github.com/gobuffalo/packr v1.25.0
+	github.com/gobuffalo/pop v4.10.0+incompatible
+	github.com/gobuffalo/tags v2.1.0+incompatible // indirect
 	github.com/gobuffalo/validate v2.0.3+incompatible
-	github.com/gobuffalo/x v0.0.0-20181110221217-14085ca3e1a9 // indirect
-	github.com/godbus/dbus v0.0.0-20181101234600-2ff6f7ffd60f // indirect
+	github.com/gobuffalo/x v0.0.0-20190224155809-6bb134105960 // indirect
+	github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e // indirect
 	github.com/gofrs/uuid v3.2.0+incompatible
 	github.com/gorilla/csrf v1.5.1
-	github.com/gorilla/handlers v1.4.0 // indirect
-	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/hashicorp/go-multierror v1.0.0
-	github.com/honeycombio/beeline-go v0.3.4
-	github.com/honeycombio/libhoney-go v1.8.2 // indirect
+	github.com/honeycombio/beeline-go v0.4.4
+	github.com/honeycombio/libhoney-go v1.10.0 // indirect
 	github.com/imdario/mergo v0.3.7
 	github.com/jackc/pgx v3.3.0+incompatible // indirect
 	github.com/jessevdk/go-flags v1.4.0
 	github.com/jmoiron/sqlx v1.2.0
-	github.com/jung-kurt/gofpdf v1.0.0
-	github.com/keybase/go-keychain v0.0.0-20181011010623-f1daa725cce4 // indirect
-	github.com/kisielk/gotool v1.0.0 // indirect
+	github.com/jung-kurt/gofpdf v1.1.1
+	github.com/karrick/godirwalk v1.8.2 // indirect
+	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
 	github.com/markbates/going v1.0.3 // indirect
-	github.com/markbates/goth v1.49.0
-	github.com/mattn/go-shellwords v1.0.3 // indirect
+	github.com/markbates/goth v1.50.0
+	github.com/mattn/go-shellwords v1.0.5 // indirect
 	github.com/mitchellh/mapstructure v1.1.2
-	github.com/namsral/flag v1.7.4-pre
-	github.com/nbutton23/zxcvbn-go v0.0.0-20171102151520-eafdab6b0663 // indirect
+	github.com/namsral/flag v1.7.4-alpha.0.20170814194028-67f268f20922
 	github.com/pkg/errors v0.8.1
-	github.com/rickar/cal v1.0.0
-	github.com/ryanuber/go-glob v1.0.0 // indirect
-	github.com/securego/gosec v0.0.0-20190128083818-04ce7baf6c55
-	github.com/segmentio/chamber v0.0.0-20181114190714-9ae7098a0534
-	github.com/smartystreets/goconvey v0.0.0-20190306220146-200a235640ff // indirect
-	github.com/spf13/afero v1.2.1
+	github.com/rickar/cal v1.0.1
+	github.com/rogpeppe/go-internal v1.3.0
+	github.com/segmentio/chamber v0.0.0-20190313180807-07d3d8eeb33f
+	github.com/spf13/afero v1.2.2
 	github.com/spf13/cobra v0.0.4-0.20190321000552-67fc4837d267
 	github.com/spf13/pflag v1.0.4-0.20181223182923-24fa6976df40
 	github.com/spf13/viper v1.3.3-0.20190408140645-7a605a50e69c
 	github.com/stretchr/testify v1.3.0
 	github.com/tealeg/xlsx v1.0.3
-	github.com/toqueteos/webbrowser v1.1.0 // indirect
-	github.com/trussworks/pdfcpu v0.0.0-20180823221217-a53781a43f9d
+	github.com/trussworks/pdfcpu v0.1.15-0.20180823221217-a53781a43f9d
 	go.mozilla.org/pkcs7 v0.0.0-20181213175627-3cffc6fbfe83
 	go.uber.org/atomic v1.3.2 // indirect
 	go.uber.org/multierr v1.1.0 // indirect
 	go.uber.org/zap v1.9.1
 	goji.io v2.0.2+incompatible
-	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
-	golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3
-	golang.org/x/net v0.0.0-20190311183353-d8887717615a
-	golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1 // indirect
-	golang.org/x/text v0.3.0
-	golang.org/x/tools v0.0.0-20190311212946-11955173bddd
+	golang.org/x/crypto v0.0.0-20190424203555-c05e17bb3b2d
+	golang.org/x/lint v0.0.0-20190409202823-959b441ac422
+	golang.org/x/net v0.0.0-20190424112056-4829fb13d2c6
+	golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a // indirect
+	golang.org/x/sys v0.0.0-20190416152802-12500544f89f // indirect
+	golang.org/x/text v0.3.1
+	golang.org/x/tools v0.0.0-20190425163242-31fd60d6bfdc
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/alexcesaro/statsd.v2 v2.0.0 // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df // indirect
-	gopkg.in/ini.v1 v1.42.0 // indirect
 	gopkg.in/urfave/cli.v1 v1.20.0 // indirect
 )