The Renovate bot and imdario/mergo v1.0.0

[webbnh]

We have an indirect dependency on a Go package named mergo. This package was updated from v0.3.6 to v1.0.0 recently, and the Renovate bot proposes that we update our go.mod file to match.

Unfortunately, as part of the update to v1.0.0, the package path was changed to use a new vanity hostname. As a result, when the bot updates our go.mod file, the path to the package in our requirements does not match the path in our direct dependency's requirement, and we get an error from go get, which, among other things, makes the bot upset.

The proper solution is, I presume, for our dependency to update their dependency to the v1.0.0 version so that the pathing problem is removed (but, this does not seem to be forthcoming). The interim solution is to manually maintain our indirect dependency at v0.3.16, which is functionally equivalent to v1.0.0 but which is still available from the old path.

However, every week, when the bot runs, it proposes updating to v1.0.0 again. And, because of the process failure, the bot refuses to run again while the PR is open, and so we are exposed in terms of missing other updates.

Other than simply closing the PR each week (after checking that it's not proposing to update anything other than mergo and its dependencies!), the only option would seem to be adding to the local bot configuration a matcher for mergo which says to ignore that particular upgrade. (But, I'm not sure exactly how to do that, and we would presumably need something to remind us to remove that configuration again, once our dependency updates their dependency.)

So, for now, I'm just going to close the PR. But, that's only going to help us until next week.