dependabot-go_modules 0.373.0 → 0.374.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 27e3533322390a8ec28d44ef8886cc6b0a95844f16220d86bb4515a0d5c1f06d
-  data.tar.gz: 26b876d7cf2a17b3422f5127541fbb309d929e18bfda9fb85eb024d33cef38b4
+  metadata.gz: 79d4612bc061dae5110e47d2213548ed4dc3b2d93fadb04494cb85f7b78fcef5
+  data.tar.gz: aacdfc5d7c13bf0a8e3c1fb9db5ab9e30dfb3fbcc0adcd1059cea0551eee5ade
 SHA512:
-  metadata.gz: 7a48980f9cd636da1c7b9c0c014c21c86d38b5862f72d3b9a66cfa1b2a8b94c10684126cb48798d26b5448c98f2cb37510ad3296fd66deb85da05f3f492c4931
-  data.tar.gz: de39bdb1b4a5bfeea0e00c6d97c91fb1f7306e4d128a0a254e58d36c2bbcfb5d9f7e33d570547efce890d3709a8edb001cf1f9a35d80edfa658cc349c76fbfcc
+  metadata.gz: 4a7e6bbb25f8999253090edc7639c804df977ad05495b6f562579bc4ef06799b317fd166e7a896ca5bc1801652cdfaa580a4e3da3dcf901cfdb10dc641e7397d
+  data.tar.gz: f5bbfefc7577f2d65e035b2b976fe2824cc423b063dd62875f1af201185c32332a6daf4f6c603d5e5165b75aa664728aec712fabf8ce9be529a1b8002546a083

data/lib/dependabot/go_modules/file_fetcher.rb

@@ -4,6 +4,7 @@
 require "sorbet-runtime"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/go_modules/go_work_parser"
 
 module Dependabot
   module GoModules
@@ -13,41 +14,68 @@ module Dependabot
 
       sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
-        filenames.include?("go.mod")
+        filenames.include?("go.mod") || filenames.include?("go.work")
       end
 
       sig { override.returns(String) }
       def self.required_files_message
-        "Repo must contain a go.mod."
+        "Repo must contain a go.mod or go.work."
       end
 
       sig { override.returns(T::Hash[Symbol, T.untyped]) }
       def ecosystem_versions
+        version = go_version_from_file(go_mod) ||
+                  go_version_from_file(go_work) ||
+                  all_workspace_go_mods.filter_map { |f| go_version_from_file(f) }.first ||
+                  "unknown"
+
         {
           package_managers: {
-            "gomod" => go_mod&.content&.match(/^go\s(\d+\.\d+)/)&.captures&.first || "unknown"
+            "gomod" => version
           }
         }
       end
 
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
-        # Ensure we always check out the full repo contents for go_module
-        # updates.
-        SharedHelpers.in_a_temporary_repo_directory(
-          directory,
-          clone_repo_contents
-        ) do
-          fetched_files = go_mod ? [go_mod] : []
-          # Fetch the (optional) go.sum
-          fetched_files << T.must(go_sum) if go_sum
-          fetched_files << T.must(go_env) if go_env
+        SharedHelpers.in_a_temporary_repo_directory(directory, clone_repo_contents) do
+          fetched_files = collect_dependency_files
+          validate_files!(fetched_files)
           fetched_files
         end
       end
 
       private
 
+      sig { returns(T::Array[DependencyFile]) }
+      def collect_dependency_files
+        fetched_files = T.let([], T::Array[DependencyFile])
+
+        if go_work
+          fetched_files << T.must(go_work)
+          fetched_files << T.must(go_work_sum) if go_work_sum
+          fetched_files.concat(workspace_module_files)
+        else
+          fetched_files << T.must(go_mod) if go_mod
+          fetched_files << T.must(go_sum) if go_sum
+        end
+
+        fetched_files << T.must(go_env) if go_env
+
+        fetched_files
+      end
+
+      sig { params(files: T::Array[DependencyFile]).void }
+      def validate_files!(files)
+        return if files.any? { |f| f.name.end_with?("go.mod") }
+
+        error_msg = go_work ? "No go.mod files found in workspace" : "No go.mod files found"
+        raise Dependabot::DependencyFileNotFound.new(
+          "go.mod",
+          error_msg
+        )
+      end
+
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def go_mod
         @go_mod ||= T.let(fetch_file_if_present("go.mod"), T.nilable(Dependabot::DependencyFile))
@@ -58,6 +86,11 @@ module Dependabot
         @go_sum ||= T.let(fetch_file_if_present("go.sum"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_work_sum
+        @go_work_sum ||= T.let(fetch_file_if_present("go.work.sum"), T.nilable(Dependabot::DependencyFile))
+      end
+
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def go_env
         return @go_env if defined?(@go_env)
@@ -65,6 +98,66 @@ module Dependabot
         @go_env = T.let(fetch_support_file("go.env"), T.nilable(Dependabot::DependencyFile))
         @go_env
       end
+
+      sig { params(file: T.nilable(Dependabot::DependencyFile)).returns(T.nilable(String)) }
+      def go_version_from_file(file)
+        file&.content&.match(/^go\s+(\d+\.\d+)/)&.captures&.first
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def all_workspace_go_mods
+        return [] unless go_work
+
+        workspace_module_paths.filter_map do |module_path|
+          name = module_path == "." ? "go.mod" : File.join(module_path, "go.mod")
+          fetch_file_if_present(name)
+        end
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_work
+        @go_work ||= T.let(fetch_file_if_present("go.work"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T::Array[String]) }
+      def workspace_module_paths
+        return [] unless go_work
+
+        content = T.must(T.must(go_work).content)
+        GoWorkParser.use_paths(content)
+                    .select { |p| valid_module_path?(p) }
+      end
+
+      sig { params(path: String).returns(T::Boolean) }
+      def valid_module_path?(path)
+        return false if path.empty?
+        return false if Pathname.new(path).absolute?
+        return false if path.include?("\0")
+
+        clean = Pathname.new(path).cleanpath.to_s
+        return false if clean.start_with?("../")
+
+        true
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def workspace_module_files
+        files = T.let([], T::Array[DependencyFile])
+
+        workspace_module_paths.each do |module_path|
+          mod_name = module_path == "." ? "go.mod" : File.join(module_path, "go.mod")
+          mod_file = fetch_file_if_present(mod_name)
+          next unless mod_file
+
+          files << mod_file
+
+          sum_name = module_path == "." ? "go.sum" : File.join(module_path, "go.sum")
+          sum_file = fetch_file_if_present(sum_name)
+          files << sum_file if sum_file
+        end
+
+        files
+      end
     end
   end
 end

data/lib/dependabot/go_modules/file_parser.rb

@@ -6,6 +6,7 @@ require "sorbet-runtime"
 require "open3"
 require "dependabot/dependency"
 require "dependabot/file_parsers/base/dependency_set"
+require "dependabot/go_modules/go_work_parser"
 require "dependabot/go_modules/path_converter"
 require "dependabot/go_modules/replace_stubber"
 require "dependabot/errors"
@@ -52,11 +53,13 @@ module Dependabot
       def parse
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-        required_packages.each do |hsh|
-          unless skip_dependency?(hsh) # rubocop:disable Style/Next
+        if workspace?
+          parse_workspace_dependencies(dependency_set)
+        else
+          required_packages.each do |hsh|
+            next if skip_dependency?(hsh)
 
-            dep = dependency_from_details(hsh)
-            dependency_set << dep
+            dependency_set << dependency_from_details(hsh)
           end
         end
 
@@ -190,9 +193,98 @@ module Dependabot
         @go_env ||= T.let(get_original_file("go.env"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_work
+        @go_work ||= T.let(get_original_file("go.work"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T::Boolean) }
+      def workspace?
+        !go_work.nil?
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def all_go_mods
+        @all_go_mods ||= T.let(
+          if go_work
+            workspace_mod_names = GoWorkParser.use_paths(T.must(T.must(go_work).content)).map do |path|
+              path == "." ? "go.mod" : "#{path}/go.mod"
+            end
+            dependency_files.select { |f| workspace_mod_names.include?(f.name) }
+          else
+            dependency_files.select { |f| f.name.end_with?("go.mod") }
+          end,
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
+      sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
+      def parse_workspace_dependencies(dependency_set)
+        all_go_mods.each do |mod_file|
+          parse_single_module(mod_file).each do |dep|
+            dependency_set << dep
+          end
+        end
+      end
+
+      sig { params(mod_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
+      def parse_single_module(mod_file)
+        SharedHelpers.in_a_temporary_directory do |path|
+          File.write("go.mod", mod_file.content)
+
+          command = "go mod edit -json"
+          stdout, stderr, status = Open3.capture3(command)
+          handle_parser_error(path, stderr, file_path: mod_file.path) unless status.success?
+
+          parsed = JSON.parse(stdout)
+          packages = parsed["Require"] || []
+
+          packages.filter_map do |hsh|
+            next if skip_dependency_in_manifest?(hsh, parsed)
+
+            source = { type: "default", source: hsh["Path"] }
+            version = hsh["Version"]&.sub(/^v?/, "")
+
+            reqs = [{
+              requirement: hsh["Version"],
+              file: mod_file.name,
+              source: source,
+              groups: []
+            }]
+
+            Dependency.new(
+              name: hsh["Path"],
+              version: version,
+              requirements: hsh["Indirect"] ? [] : reqs,
+              package_manager: "go_modules"
+            )
+          end
+        end
+      end
+
+      sig { params(dep: T::Hash[String, T.untyped], mod_manifest: T::Hash[String, T.untyped]).returns(T::Boolean) }
+      def skip_dependency_in_manifest?(dep, mod_manifest)
+        return true if dependency_is_replaced_in?(dep, mod_manifest)
+
+        path_uri = URI.parse("https://#{dep['Path']}")
+        !path_uri.host&.include?(".")
+      rescue URI::InvalidURIError
+        false
+      end
+
+      sig { params(details: T::Hash[String, T.untyped], mod_manifest: T::Hash[String, T.untyped]).returns(T::Boolean) }
+      def dependency_is_replaced_in?(details, mod_manifest)
+        return false unless mod_manifest["Replace"]
+
+        mod_manifest["Replace"].any? do |replace|
+          replace["Old"]["Path"] == details["Path"] &&
+            (!replace["Old"]["Version"] || replace["Old"]["Version"] == details["Version"])
+        end
+      end
+
       sig { override.void }
       def check_required_files
-        raise "No go.mod!" unless go_mod
+        raise "No go.mod or go.work!" unless go_mod || go_work
       end
 
       sig { params(details: T::Hash[String, T.untyped]).returns(Dependabot::Dependency) }
@@ -264,10 +356,11 @@ module Dependabot
         end
       end
 
-      sig { params(path: T.any(Pathname, String), stderr: String).returns(T.noreturn) }
-      def handle_parser_error(path, stderr)
+      sig { params(path: T.any(Pathname, String), stderr: String, file_path: T.nilable(String)).returns(T.noreturn) }
+      def handle_parser_error(path, stderr, file_path: nil)
         msg = stderr.gsub(path.to_s, "").strip
-        raise Dependabot::DependencyFileNotParseable.new(T.must(go_mod).path, msg)
+        resolved_path = file_path || go_mod&.path || go_work&.path || "go.mod"
+        raise Dependabot::DependencyFileNotParseable.new(resolved_path, msg)
       end
 
       sig { params(dep: T::Hash[String, T.untyped]).returns(T::Boolean) }

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -7,13 +7,14 @@ require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/logger"
 require "dependabot/go_modules/file_updater"
+require "dependabot/go_modules/go_work_parser"
 require "dependabot/go_modules/replace_stubber"
 require "dependabot/go_modules/resolvability_errors"
 
 module Dependabot
   module GoModules
     class FileUpdater
-      class GoModUpdater
+      class GoModUpdater # rubocop:disable Metrics/ClassLength
         extend T::Sig
 
         RESOLVABILITY_ERROR_REGEXES = T.let(
@@ -151,6 +152,14 @@ module Dependabot
           updated_files[:go_sum]
         end
 
+        sig { returns(T::Hash[String, String]) }
+        def updated_workspace_module_files
+          @updated_workspace_module_files ||= T.let(
+            update_workspace_files,
+            T.nilable(T::Hash[String, String])
+          )
+        end
+
         private
 
         sig { returns(T::Array[Dependabot::Dependency]) }
@@ -220,6 +229,109 @@ module Dependabot
           end
         end
 
+        sig { returns(T::Hash[String, String]) }
+        def update_workspace_files
+          in_repo_path do
+            dependency_files.each do |file|
+              path = Pathname.new(file.name).expand_path
+              FileUtils.mkdir_p(path.dirname)
+              File.write(path, file.content)
+            end
+
+            # Run `go get dep@version` in each module directory so every go.mod
+            # that requires the dependency gets the version bump, not just the first.
+            # Follow with a bare `go get` validation pass per module, matching the
+            # single-module update path's intent (see run_go_get comment).
+            workspace_module_paths.each do |mod_dir|
+              Dir.chdir(mod_dir) do
+                run_go_get(dependencies)
+                run_go_get
+              end
+            end
+
+            run_go_work_sync
+            run_workspace_tidy
+
+            collect_workspace_file_contents
+          end
+        end
+
+        sig { void }
+        def run_go_work_sync
+          command = "go work sync"
+          _, stderr, status = Open3.capture3(command)
+          return if status.success?
+
+          handle_subprocess_error(stderr)
+        end
+
+        sig { void }
+        def run_workspace_tidy
+          return unless tidy?
+
+          workspace_module_paths.each do |mod_path|
+            Dir.chdir(mod_path) do
+              command = "go mod tidy -e"
+              _, stderr, status = Open3.capture3(command)
+              if status.success?
+                Dependabot.logger.info "`go mod tidy` succeeded in #{mod_path}"
+              else
+                Dependabot.logger.info "Failed to `go mod tidy` in #{mod_path}: #{stderr}"
+              end
+            end
+          end
+        end
+
+        sig { returns(T::Array[String]) }
+        def workspace_module_paths
+          go_work_file = dependency_files.find { |f| f.name.end_with?("go.work") }
+          return ["."] unless go_work_file
+
+          fetched_mod_names = dependency_files.select { |f| f.name.end_with?("go.mod") }
+                                              .to_set(&:name)
+
+          GoWorkParser.use_paths(T.must(go_work_file.content))
+                      .select { |p| valid_workspace_path?(p) && fetched_mod_names.include?(workspace_mod_name(p)) }
+                      .map { |p| p == "." ? "." : "./#{p}" }
+        end
+
+        sig { params(path: String).returns(T::Boolean) }
+        def valid_workspace_path?(path)
+          return false if Pathname.new(path).absolute?
+
+          !Pathname.new(path).cleanpath.to_s.start_with?("../")
+        end
+
+        sig { params(use_path: String).returns(String) }
+        def workspace_mod_name(use_path)
+          use_path == "." ? "go.mod" : "#{use_path}/go.mod"
+        end
+
+        sig { returns(T::Hash[String, String]) }
+        def collect_workspace_file_contents
+          results = T.let({}, T::Hash[String, String])
+
+          workspace_module_paths.each do |mod_path|
+            relative_base = mod_path.delete_prefix("./")
+
+            mod_file = File.join(mod_path, "go.mod")
+            if File.exist?(mod_file)
+              key = relative_base.empty? || relative_base == "." ? "go.mod" : "#{relative_base}/go.mod"
+              results[key] = File.read(mod_file)
+            end
+
+            sum_file = File.join(mod_path, "go.sum")
+            next unless File.exist?(sum_file)
+
+            key = relative_base.empty? || relative_base == "." ? "go.sum" : "#{relative_base}/go.sum"
+            results[key] = File.read(sum_file)
+          end
+
+          results["go.work.sum"] = File.read("go.work.sum") if File.exist?("go.work.sum")
+
+          results
+        end
+
         sig { void }
         def run_go_mod_tidy
           return unless tidy?

data/lib/dependabot/go_modules/file_updater.rb

@@ -7,6 +7,7 @@ require "dependabot/shared_helpers"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/file_updaters/vendor_updater"
+require "dependabot/go_modules/go_work_parser"
 
 module Dependabot
   module GoModules
@@ -37,7 +38,55 @@ module Dependabot
 
       sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
-        updated_files = []
+        updated_files = if workspace?
+                          updated_workspace_files
+                        else
+                          updated_single_module_files
+                        end
+
+        raise "No files changed!" if updated_files.none?
+
+        updated_files
+      end
+
+      private
+
+      sig { params(go_mod: Dependabot::DependencyFile).returns(T::Boolean) }
+      def dependency_changed?(go_mod)
+        # file_changed? only checks for changed requirements. Need to check for indirect dep version changes too.
+        file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version }
+      end
+
+      sig { override.void }
+      def check_required_files
+        return if go_mod || go_work
+
+        raise "No go.mod or go.work!"
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_mod
+        @go_mod ||= T.let(get_original_file("go.mod"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_sum
+        @go_sum ||= T.let(get_original_file("go.sum"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_work
+        @go_work ||= T.let(get_original_file("go.work"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T::Boolean) }
+      def workspace?
+        !go_work.nil?
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_single_module_files
+        updated_files = T.let([], T::Array[Dependabot::DependencyFile])
 
         if go_mod && dependency_changed?(T.must(go_mod))
           updated_files <<
@@ -60,34 +109,51 @@ module Dependabot
           end
         end
 
-        raise "No files changed!" if updated_files.none?
-
         updated_files
       end
 
-      private
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_workspace_files
+        check_workspace_not_vendored!
 
-      sig { params(go_mod: Dependabot::DependencyFile).returns(T::Boolean) }
-      def dependency_changed?(go_mod)
-        # file_changed? only checks for changed requirements. Need to check for indirect dep version changes too.
-        file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version }
-      end
+        updated_files = T.let([], T::Array[Dependabot::DependencyFile])
+        workspace_results = file_updater.updated_workspace_module_files
 
-      sig { override.void }
-      def check_required_files
-        return if go_mod
+        workspace_results.each do |file_path, content|
+          original = dependency_files.find { |f| f.name == file_path }
+          next unless original
+          next if original.content == content
 
-        raise "No go.mod!"
-      end
+          updated_files << updated_file(file: original, content: content)
+        end
 
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def go_mod
-        @go_mod ||= T.let(get_original_file("go.mod"), T.nilable(Dependabot::DependencyFile))
+        updated_files
       end
 
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def go_sum
-        @go_sum ||= T.let(get_original_file("go.sum"), T.nilable(Dependabot::DependencyFile))
+      sig { void }
+      def check_workspace_not_vendored!
+        mod_paths = GoWorkParser.use_paths(T.must(T.must(go_work).content))
+
+        vendored_path = mod_paths.find do |mod_path|
+          vendor_modules_txt = if mod_path == "."
+                                 File.join(vendor_dir, "modules.txt")
+                               else
+                                 File.join(
+                                   T.must(repo_contents_path),
+                                   T.must(directory),
+                                   mod_path,
+                                   "vendor",
+                                   "modules.txt"
+                                 )
+                               end
+          File.exist?(vendor_modules_txt)
+        end
+
+        return unless vendored_path
+
+        raise Dependabot::DependencyFileNotResolvable,
+              "Go workspace module \"#{vendored_path}\" has a vendor directory. " \
+              "Vendored workspaces are not yet supported."
       end
 
       sig { returns(T.nilable(String)) }

data/lib/dependabot/go_modules/go_work_parser.rb

@@ -0,0 +1,40 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module GoModules
+    class GoWorkParser
+      extend T::Sig
+
+      # Parses the `use` directives from go.work content.
+      # Returns an array of module paths with `./` prefix stripped.
+      # `"."` is included when the root module is listed.
+      # Result is deduped but not sorted, filtered, or re-prefixed.
+      sig { params(content: String).returns(T::Array[String]) }
+      def self.use_paths(content)
+        paths = T.let([], T::Array[String])
+
+        # Multi-line use block: use (\n  ./path\n  ...\n)
+        content.scan(/^use\s+\(([^)]+)\)/m).each do |block_match|
+          T.must(block_match[0]).each_line do |line|
+            path = line.split("//").first&.strip || ""
+            next if path.empty?
+
+            paths << path.sub(%r{^\./}, "")
+          end
+        end
+
+        # Single-line use directive: use . or use ./path
+        # [^\s]* (zero-or-more) so bare `use .` is captured
+        content.scan(/^use\s+(?!\()(\.[^\s]*)/m).each do |match|
+          path = T.must(match[0]).sub(%r{^\./}, "")
+          paths << path
+        end
+
+        paths.uniq
+      end
+    end
+  end
+end

data/lib/dependabot/go_modules/package/package_details_fetcher.rb

@@ -120,7 +120,18 @@ module Dependabot
 
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def go_mod
-          @go_mod ||= T.let(dependency_files.find { |f| f.name == "go.mod" }, T.nilable(Dependabot::DependencyFile))
+          @go_mod ||= T.let(
+            begin
+              req_file = dependency.requirements.first&.fetch(:file, nil)
+              if req_file
+                dependency_files.find { |f| f.name == req_file }
+              else
+                dependency_files.find { |f| f.name == "go.mod" } ||
+                  dependency_files.find { |f| f.name.end_with?("/go.mod") }
+              end
+            end,
+            T.nilable(Dependabot::DependencyFile)
+          )
         end
 
         sig do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.373.0
+  version: 0.374.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.374.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.374.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -256,6 +256,7 @@ files:
 - lib/dependabot/go_modules/file_parser.rb
 - lib/dependabot/go_modules/file_updater.rb
 - lib/dependabot/go_modules/file_updater/go_mod_updater.rb
+- lib/dependabot/go_modules/go_work_parser.rb
 - lib/dependabot/go_modules/language.rb
 - lib/dependabot/go_modules/metadata_finder.rb
 - lib/dependabot/go_modules/native_helpers.rb
@@ -274,7 +275,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.373.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.374.0
 rdoc_options: []
 require_paths:
 - lib