Incorrect Nested Dependency Versions

[frankgreco]

What version of dep are you using (dep version)?

0.3.2

What dep command did you run?

dep init

What did you expect to see?

I have a the following dependency in my Gopkg.toml:

[[constraint]]
  name = "github.com/uber/jaeger-client-go"
  version = "2.11.0"

The commit for this specific version contains the following in its glide.lock

- name: github.com/apache/thrift
  version: b2a4d4ae21c789b689dd162deb819665567f481c
  subpackages:
  - lib/go/thrift

This project/commit has the following in its glide.yaml

- package: github.com/apache/thrift
  version: ">=0.9.3, <0.11.0"
  subpackages:
  - lib/go/thrift

After running dep ensure, my Gopkg.lock contains the following:

[[projects]]
  name = "github.com/apache/thrift"
  packages = ["lib/go/thrift"]
  revision = "327ebb6c2b6df8bf075da02ef45a2a034e9b79ba"
  version = "0.11.0"

What did you see instead?

I am very confused as to why dep is using this revision for 2 versions:

1. If it is using glide.yaml, then the revision it locked is equal to 0.11.0 and not less than
2. If it is using glide.lock, then the revisions are not equal

Other

dep ensure -v output

tl;dr

(17)  ? attempt github.com/apache/thrift with 1 pkgs; at least 1 versions to try
(19)      try github.com/apache/[email protected]
(19)  ✓ select github.com/apache/[email protected] w/1 pkgs

dep ensure -v
Root project is "github.com/northwesternmutual/kanali"
 34 transitively valid internal packages
 39 external packages imported from 15 projects
(0)   ✓ select (root)
(1)	? attempt github.com/coreos/etcd with 3 pkgs; at least 1 versions to try
(1)	    try github.com/coreos/[email protected]
(1)	✓ select github.com/coreos/[email protected] w/7 pkgs
(2)	? attempt github.com/golang/protobuf with 1 pkgs; at least 1 versions to try
(2)	    try github.com/golang/protobuf@4bd1920723d7b7c925de087aa32e2187708897f7
(2)	✓ select github.com/golang/protobuf@4bd1920723d7b7c925de087aa32e2187708897f7 w/1 pkgs
(3)	? attempt github.com/golang/glog with 1 pkgs; at least 1 versions to try
(3)	    try github.com/golang/glog@master
(3)	✓ select github.com/golang/glog@master w/1 pkgs
(4)	? attempt github.com/stretchr/testify with 1 pkgs; at least 1 versions to try
(4)	    try github.com/stretchr/[email protected]
(4)	✓ select github.com/stretchr/[email protected] w/1 pkgs
(5)	? attempt github.com/davecgh/go-spew with 1 pkgs; at least 1 versions to try
(5)	    try github.com/davecgh/[email protected]
(5)	✓ select github.com/davecgh/[email protected] w/1 pkgs
(6)	? attempt github.com/influxdata/influxdb with 1 pkgs; at least 1 versions to try
(6)	    try github.com/influxdata/[email protected]
(6)	✓ select github.com/influxdata/[email protected] w/3 pkgs
(7)	? attempt github.com/opentracing/opentracing-go with 1 pkgs; at least 1 versions to try
(7)	    try github.com/opentracing/[email protected]
(7)	✓ select github.com/opentracing/[email protected] w/2 pkgs
(8)	? attempt github.com/spf13/cobra with 1 pkgs; at least 1 versions to try
(8)	    try github.com/spf13/[email protected]
(8)	✓ select github.com/spf13/[email protected] w/1 pkgs
(9)	? attempt github.com/inconshreveable/mousetrap with 1 pkgs; at least 1 versions to try
(9)	    try github.com/inconshreveable/[email protected]
(9)	✓ select github.com/inconshreveable/[email protected] w/1 pkgs
(10)  ? attempt k8s.io/apiextensions-apiserver with 3 pkgs; at least 1 versions to try
(10)      try k8s.io/apiextensions-apiserver@89b2a556a65053a90552eaed26f810df4a266367
(10)  ✓ select k8s.io/apiextensions-apiserver@89b2a556a65053a90552eaed26f810df4a266367 w/5 pkgs
(11)  ? attempt github.com/gogo/protobuf with 2 pkgs; at least 1 versions to try
(11)      try github.com/gogo/[email protected]
(11)  ✓ select github.com/gogo/[email protected] w/2 pkgs
(12)  ? attempt google.golang.org/grpc with 8 pkgs; at least 1 versions to try
(12)      try google.golang.org/[email protected]
(12)  ✓ select google.golang.org/[email protected] w/22 pkgs
(13)  ? revisit github.com/golang/protobuf to add 1 pkgs
(13)    ✓ include 5 more pkgs from github.com/golang/protobuf@4bd1920723d7b7c925de087aa32e2187708897f7
(13)  ? attempt github.com/spf13/pflag with 1 pkgs; at least 1 versions to try
(14)      try github.com/spf13/[email protected]
(14)  ✓ select github.com/spf13/[email protected] w/1 pkgs
(14)  ? attempt golang.org/x/net with 1 pkgs; at least 1 versions to try
(15)      try golang.org/x/net@master
(15)  ✓ select golang.org/x/net@master w/1 pkgs
(15)  ? attempt github.com/uber/jaeger-client-go with 1 pkgs; at least 1 versions to try
(16)      try github.com/uber/[email protected]
(16)  ✓ select github.com/uber/[email protected] w/13 pkgs
(16)  ? revisit github.com/opentracing/opentracing-go to add 2 pkgs
(17)    ✓ include 3 more pkgs from github.com/opentracing/[email protected]
(16)  ? attempt github.com/pmezard/go-difflib with 1 pkgs; at least 1 versions to try
(18)      try github.com/pmezard/[email protected]
(18)  ✓ select github.com/pmezard/[email protected] w/1 pkgs
(17)  ? attempt github.com/apache/thrift with 1 pkgs; at least 1 versions to try
(19)      try github.com/apache/[email protected]
(19)  ✓ select github.com/apache/[email protected] w/1 pkgs
(18)  ? attempt github.com/spf13/viper with 1 pkgs; at least 1 versions to try
(20)      try github.com/spf13/[email protected]
(20)  ✓ select github.com/spf13/[email protected] w/1 pkgs
(19)  ? attempt github.com/fsnotify/fsnotify with 1 pkgs; at least 1 versions to try
(21)      try github.com/fsnotify/[email protected]
(21)  ✓ select github.com/fsnotify/[email protected] w/1 pkgs
(20)  ? attempt github.com/mitchellh/mapstructure with 1 pkgs; at least 1 versions to try
(22)      try github.com/mitchellh/mapstructure@master
(22)  ✓ select github.com/mitchellh/mapstructure@master w/1 pkgs
(21)  ? attempt github.com/hashicorp/hcl with 1 pkgs; at least 1 versions to try
(23)      try github.com/hashicorp/hcl@master
(23)  ✓ select github.com/hashicorp/hcl@master w/9 pkgs
(22)  ? attempt github.com/pelletier/go-toml with 1 pkgs; at least 1 versions to try
(24)      try github.com/pelletier/[email protected]
(24)  ✓ select github.com/pelletier/[email protected] w/1 pkgs
(23)  ? attempt golang.org/x/sys with 1 pkgs; at least 1 versions to try
(25)      try golang.org/x/sys@master
(25)  ✓ select golang.org/x/sys@master w/1 pkgs
(24)  ? revisit golang.org/x/net to add 3 pkgs
(26)    ✓ include 7 more pkgs from golang.org/x/net@master
(24)  ? attempt github.com/uber/jaeger-lib with 1 pkgs; at least 1 versions to try
(27)      try github.com/uber/[email protected]
(27)  ✓ select github.com/uber/[email protected] w/1 pkgs
(25)  ? attempt github.com/codahale/hdrhistogram with 1 pkgs; at least 1 versions to try
(28)      try github.com/codahale/hdrhistogram@master
(28)  ✓ select github.com/codahale/hdrhistogram@master w/1 pkgs
(26)  ? attempt github.com/satori/go.uuid with 1 pkgs; at least 1 versions to try
(29)      try github.com/satori/[email protected]
(29)  ✓ select github.com/satori/[email protected] w/1 pkgs
(27)  ? attempt k8s.io/api with 1 pkgs; at least 1 versions to try
(30)      try k8s.io/api@cadaf100c0a3dd6b254f320d6d651df079ec8e0a
(30)  ✓ select k8s.io/api@cadaf100c0a3dd6b254f320d6d651df079ec8e0a w/1 pkgs
(28)  ? attempt google.golang.org/genproto with 1 pkgs; at least 1 versions to try
(31)      try google.golang.org/genproto@master
(31)  ✓ select google.golang.org/genproto@master w/1 pkgs
(29)  ? revisit github.com/golang/protobuf to add 1 pkgs
(32)    ✓ include 2 more pkgs from github.com/golang/protobuf@4bd1920723d7b7c925de087aa32e2187708897f7
(29)  ? attempt github.com/spf13/afero with 1 pkgs; at least 1 versions to try
(33)      try github.com/spf13/[email protected]
(33)  ✓ select github.com/spf13/[email protected] w/2 pkgs
(30)  ? attempt github.com/magiconair/properties with 1 pkgs; at least 1 versions to try
(34)      try github.com/magiconair/[email protected]
(34)  ✓ select github.com/magiconair/[email protected] w/1 pkgs
(31)  ? revisit google.golang.org/genproto to add 1 pkgs
(35)    ✓ include 1 more pkgs from google.golang.org/genproto@master
(31)  ? revisit github.com/golang/protobuf to add 1 pkgs
(36)    ✓ include 2 more pkgs from github.com/golang/protobuf@4bd1920723d7b7c925de087aa32e2187708897f7
(31)  ? attempt go.uber.org/zap with 3 pkgs; at least 1 versions to try
(37)      try go.uber.org/[email protected]
(37)  ✓ select go.uber.org/[email protected] w/7 pkgs
(32)  ? attempt github.com/spf13/cast with 1 pkgs; at least 1 versions to try
(38)      try github.com/spf13/[email protected]
(38)  ✓ select github.com/spf13/[email protected] w/1 pkgs
(33)  ? attempt github.com/spf13/jwalterweatherman with 1 pkgs; at least 1 versions to try
(39)      try github.com/spf13/jwalterweatherman@master
(39)  ✓ select github.com/spf13/jwalterweatherman@master w/1 pkgs
(34)  ? attempt k8s.io/apimachinery with 10 pkgs; at least 1 versions to try
(40)      try k8s.io/apimachinery@9d38e20d609d27e00d4ec18f7b9db67105a2bde0
(40)  ✓ select k8s.io/apimachinery@9d38e20d609d27e00d4ec18f7b9db67105a2bde0 w/28 pkgs
(35)  ? attempt github.com/go-openapi/spec with 1 pkgs; at least 1 versions to try
(41)      try github.com/go-openapi/spec@master
(41)  ✓ select github.com/go-openapi/spec@master w/1 pkgs
(36)  ? attempt github.com/json-iterator/go with 1 pkgs; at least 1 versions to try
(42)      try github.com/json-iterator/[email protected]
(42)  ✓ select github.com/json-iterator/[email protected] w/1 pkgs
(37)  ? revisit k8s.io/apimachinery to add 2 pkgs
(43)    ✓ include 2 more pkgs from k8s.io/apimachinery@9d38e20d609d27e00d4ec18f7b9db67105a2bde0
(37)  ? revisit k8s.io/apimachinery to add 1 pkgs
(44)    ✓ include 1 more pkgs from k8s.io/apimachinery@9d38e20d609d27e00d4ec18f7b9db67105a2bde0
(37)  ? attempt github.com/go-openapi/jsonpointer with 1 pkgs; at least 1 versions to try
(45)      try github.com/go-openapi/jsonpointer@master
(45)  ✓ select github.com/go-openapi/jsonpointer@master w/1 pkgs
(38)  ? attempt github.com/ghodss/yaml with 1 pkgs; at least 1 versions to try
(46)      try github.com/ghodss/[email protected]
(46)  ✓ select github.com/ghodss/[email protected] w/1 pkgs
(39)  ? attempt github.com/google/gofuzz with 1 pkgs; at least 1 versions to try
(47)      try github.com/google/gofuzz@master
(47)  ✓ select github.com/google/gofuzz@master w/1 pkgs
(40)  ? attempt github.com/go-openapi/jsonreference with 1 pkgs; at least 1 versions to try
(48)      try github.com/go-openapi/jsonreference@master
(48)  ✓ select github.com/go-openapi/jsonreference@master w/1 pkgs
(41)  ? attempt github.com/PuerkitoBio/purell with 1 pkgs; at least 1 versions to try
(49)      try github.com/PuerkitoBio/[email protected]
(49)  ✓ select github.com/PuerkitoBio/[email protected] w/1 pkgs
(42)  ? revisit golang.org/x/net to add 1 pkgs
(50)    ✓ include 1 more pkgs from golang.org/x/net@master
(42)  ? attempt golang.org/x/text with 3 pkgs; at least 1 versions to try
(51)      try golang.org/x/text@master
(51)  ✓ select golang.org/x/text@master w/14 pkgs
(43)  ? attempt github.com/PuerkitoBio/urlesc with 1 pkgs; at least 1 versions to try
(52)      try github.com/PuerkitoBio/urlesc@master
(52)  ✓ select github.com/PuerkitoBio/urlesc@master w/1 pkgs
(44)  ? revisit golang.org/x/text to add 1 pkgs
(53)    ✓ include 1 more pkgs from golang.org/x/text@master
(44)  ? attempt go.uber.org/atomic with 1 pkgs; at least 1 versions to try
(54)      try go.uber.org/[email protected]
(54)  ✓ select go.uber.org/[email protected] w/1 pkgs
(45)  ? attempt k8s.io/client-go with 10 pkgs; at least 1 versions to try
(55)      try k8s.io/client-go@afb4606c45bae77c4dc2c15291d4d7d6d792196c
(55)  ✓ select k8s.io/client-go@afb4606c45bae77c4dc2c15291d4d7d6d792196c w/101 pkgs
(46)  ? revisit k8s.io/api to add 23 pkgs
(56)    ✓ include 24 more pkgs from k8s.io/api@cadaf100c0a3dd6b254f320d6d651df079ec8e0a
(46)  ? attempt github.com/go-openapi/swag with 1 pkgs; at least 1 versions to try
(57)      try github.com/go-openapi/swag@master
(57)  ✓ select github.com/go-openapi/swag@master w/1 pkgs
(47)  ? revisit k8s.io/apimachinery to add 15 pkgs
(58)    ✓ include 39 more pkgs from k8s.io/apimachinery@9d38e20d609d27e00d4ec18f7b9db67105a2bde0
(47)  ? attempt github.com/juju/ratelimit with 1 pkgs; at least 1 versions to try
(59)      try github.com/juju/ratelimit@master
(59)  ✓ select github.com/juju/ratelimit@master w/1 pkgs
(48)  ? revisit golang.org/x/text to add 1 pkgs
(60)    ✓ include 6 more pkgs from golang.org/x/text@master
(48)  ? attempt github.com/imdario/mergo with 1 pkgs; at least 1 versions to try
(61)      try github.com/imdario/[email protected]
(61)  ✓ select github.com/imdario/[email protected] w/1 pkgs
(49)  ? attempt github.com/googleapis/gnostic with 1 pkgs; at least 1 versions to try
(62)      try github.com/googleapis/[email protected]
(62)  ✓ select github.com/googleapis/[email protected] w/3 pkgs
(50)  ? attempt gopkg.in/yaml.v2 with 1 pkgs; at least 1 versions to try
(63)      try gopkg.in/yaml.v2@v2
(63)  ✓ select gopkg.in/yaml.v2@v2 w/1 pkgs
(51)  ? attempt github.com/mailru/easyjson with 2 pkgs; at least 1 versions to try
(64)      try github.com/mailru/easyjson@master
(64)  ✓ select github.com/mailru/easyjson@master w/3 pkgs
(52)  ? attempt github.com/emicklei/go-restful-swagger12 with 1 pkgs; at least 1 versions to try
(65)      try github.com/emicklei/[email protected]
(65)  ✓ select github.com/emicklei/[email protected] w/1 pkgs
(53)  ? attempt github.com/emicklei/go-restful with 2 pkgs; at least 1 versions to try
(66)      try github.com/emicklei/[email protected]
(66)  ✓ select github.com/emicklei/[email protected] w/2 pkgs
(54)  ? attempt github.com/howeyc/gopass with 1 pkgs; at least 1 versions to try
(67)      try github.com/howeyc/gopass@master
(67)  ✓ select github.com/howeyc/gopass@master w/1 pkgs
(55)  ? attempt github.com/peterbourgon/diskv with 1 pkgs; at least 1 versions to try
(68)      try github.com/peterbourgon/[email protected]
(68)  ✓ select github.com/peterbourgon/[email protected] w/1 pkgs
(56)  ? attempt github.com/google/btree with 1 pkgs; at least 1 versions to try
(69)      try github.com/google/btree@master
(69)  ✓ select github.com/google/btree@master w/1 pkgs
(57)  ? attempt github.com/gregjones/httpcache with 2 pkgs; at least 1 versions to try
(70)      try github.com/gregjones/httpcache@master
(70)  ✓ select github.com/gregjones/httpcache@master w/2 pkgs
(58)  ? attempt go.uber.org/multierr with 1 pkgs; at least 1 versions to try
(71)      try go.uber.org/[email protected]
(71)  ✓ select go.uber.org/[email protected] w/1 pkgs
(59)  ? attempt github.com/hashicorp/golang-lru with 1 pkgs; at least 1 versions to try
(72)      try github.com/hashicorp/golang-lru@master
(72)  ✓ select github.com/hashicorp/golang-lru@master w/2 pkgs
(60)  ? attempt gopkg.in/inf.v0 with 1 pkgs; at least 1 versions to try
(73)      try gopkg.in/[email protected]
(73)  ✓ select gopkg.in/[email protected] w/1 pkgs
(61)  ? attempt golang.org/x/crypto with 1 pkgs; at least 1 versions to try
(74)      try golang.org/x/crypto@master
(74)  ✓ select golang.org/x/crypto@master w/1 pkgs
(62)  ? revisit golang.org/x/sys to add 1 pkgs
(75)    ✓ include 1 more pkgs from golang.org/x/sys@master
(62)  ? attempt github.com/petar/GoLLRB with 1 pkgs; at least 1 versions to try
(76)      try github.com/petar/GoLLRB@master
(76)  ✓ select github.com/petar/GoLLRB@master w/1 pkgs
(63)  ? attempt k8s.io/kube-openapi with 1 pkgs; at least 1 versions to try
(77)      try k8s.io/kube-openapi@master
(77)  ✓ select k8s.io/kube-openapi@master w/1 pkgs
  ✓ found solution with 322 packages from 63 projects

Solver wall times by segment:
         b-list-pkgs: 1m0.958910354s
              b-gmal:  55.741017511s
     b-source-exists:  16.344338959s
  b-deduce-proj-root:    650.83795ms
             satisfy:    71.146727ms
         select-atom:    60.411882ms
            new-atom:     5.175988ms
         select-root:     1.890084ms
               other:      455.847µs
            add-atom:      182.112µs

  TOTAL: 2m13.834367414s

(1/63) Wrote github.com/PuerkitoBio/[email protected]
(2/63) Wrote github.com/mitchellh/mapstructure@master
(3/63) Wrote github.com/magiconair/[email protected]
(4/63) Wrote github.com/uber/[email protected]
(5/63) Wrote github.com/davecgh/[email protected]
(6/63) Wrote go.uber.org/[email protected]
(7/63) Wrote github.com/mailru/easyjson@master
(8/63) Wrote github.com/opentracing/[email protected]
(9/63) Wrote go.uber.org/[email protected]
(10/63) Wrote k8s.io/kube-openapi@master
(11/63) Wrote github.com/juju/ratelimit@master
(12/63) Wrote github.com/codahale/hdrhistogram@master
(13/63) Wrote github.com/PuerkitoBio/urlesc@master
(14/63) Wrote github.com/json-iterator/[email protected]
(15/63) Wrote github.com/pelletier/[email protected]
(16/63) Wrote go.uber.org/[email protected]
(17/63) Wrote golang.org/x/crypto@master
(18/63) Wrote golang.org/x/sys@master
(19/63) Wrote gopkg.in/[email protected]
(20/63) Wrote gopkg.in/yaml.v2@v2
(21/63) Wrote github.com/peterbourgon/[email protected]
(22/63) Wrote github.com/pmezard/[email protected]
(23/63) Wrote github.com/spf13/[email protected]
(24/63) Wrote golang.org/x/net@master
(25/63) Wrote google.golang.org/genproto@master
(26/63) Wrote google.golang.org/[email protected]
(27/63) Wrote github.com/petar/GoLLRB@master
(28/63) Wrote k8s.io/apimachinery@9d38e20d609d27e00d4ec18f7b9db67105a2bde0
(29/63) Wrote github.com/spf13/[email protected]
(30/63) Wrote github.com/satori/[email protected]
(31/63) Wrote k8s.io/apiextensions-apiserver@89b2a556a65053a90552eaed26f810df4a266367
(32/63) Wrote golang.org/x/text@master
(33/63) Wrote github.com/spf13/jwalterweatherman@master
(34/63) Wrote github.com/spf13/[email protected]
(35/63) Wrote k8s.io/api@cadaf100c0a3dd6b254f320d6d651df079ec8e0a
(36/63) Wrote github.com/spf13/[email protected]
(37/63) Wrote github.com/stretchr/[email protected]
(38/63) Wrote github.com/google/gofuzz@master
(39/63) Wrote github.com/spf13/[email protected]
(40/63) Wrote github.com/uber/[email protected]
(41/63) Wrote github.com/fsnotify/[email protected]
(42/63) Wrote github.com/emicklei/[email protected]
(43/63) Wrote github.com/ghodss/[email protected]
(44/63) Wrote github.com/go-openapi/jsonpointer@master
(45/63) Wrote github.com/emicklei/[email protected]
(46/63) Wrote github.com/go-openapi/jsonreference@master
(47/63) Wrote github.com/go-openapi/swag@master
(48/63) Wrote github.com/go-openapi/spec@master
(49/63) Wrote github.com/golang/glog@master
(50/63) Wrote github.com/google/btree@master
(51/63) Wrote github.com/inconshreveable/[email protected]
(52/63) Wrote github.com/golang/protobuf@4bd1920723d7b7c925de087aa32e2187708897f7
(53/63) Wrote github.com/coreos/[email protected]
(54/63) Wrote github.com/hashicorp/golang-lru@master
(55/63) Wrote github.com/gregjones/httpcache@master
(56/63) Wrote github.com/howeyc/gopass@master
(57/63) Wrote github.com/googleapis/[email protected]
(58/63) Wrote github.com/hashicorp/hcl@master
(59/63) Wrote github.com/imdario/[email protected]
(60/63) Wrote k8s.io/client-go@afb4606c45bae77c4dc2c15291d4d7d6d792196c
(61/63) Wrote github.com/apache/[email protected]
(62/63) Wrote github.com/gogo/[email protected]
(63/63) Wrote github.com/influxdata/[email protected]

[carolynvs]

Can you provide the output from running dep init -v? The glide importer does attempt to preserve the revisions used from the glide.lock. Perhaps there is another constraint that prevented it from being used.

If you really need to use a specific version of apimachinery, see How do I constrain a transitive dependency's version? from our FAQ for guidance on how to add an override for k8s.io/apimachinery. I strongly recommend picking a version range instead of a specific revision if you decide to create an override.

[frankgreco]

@carolynvs I updated the question to another very specific example (same issue) with some more info. Note that I did not execute dep init -v. I created my Gopkg.toml and then ran dep ensure -update.

[frankgreco]

To work around this, I have add the following to my top level imports:

_ "github.com/apache/thrift/lib/go/thrift"

and then added this to my Gopkg.toml

[[constraint]]
  name = "github.com/apache/thrift"
  revision = "b2a4d4ae21c789b689dd162deb819665567f481c"

The transitive dependency link you provided suggested this. However, the section is prefixed with a warning relaying that I shouldn't do this. However, this is the only workaround that I know of.

[frankgreco]

@carolynvs any insight on this? Is this a bug or just something I'm not understanding correctly?

[carolynvs]

Wait, your original question said that you ran dep init but your edits make me think that you actually only ran dep ensure? I'm confused about if we are talking about two separate issues. 😀

The reason why I ask is that dep ensure does not look at any external configuration such as glide, only init does that currently.

[frankgreco]

@carolynvs sorry that confusion was my fault (thought the issue was the same). So if this only happens with dep init, is there no guarantee that my locked dependency versions will be correct if I create Gopkg.toml myself?

[carolynvs]

For init, dep preserves the constraints from the external config file (such as glide.yaml) at the root of the project, and attempts to preserve the locked revisions as well.

There is an open epic (#1335) to preserve metadata from external configuration found in a dependency when solving the dependency graph. Which I believe is the feature necessary for your dep ensure to have picked up the constraint on thrift.

Until that's implemented, you can use an [[override]] to select a specific version of thrift. That way you won't need to add the empty import.

[[override]]
  name = "github.com/apache/thrift"
  version = ">=0.9.3, <0.11.0"

If you need to use a specific version, I recommend version = "=0.10.0" instead of picking a specific commit hash. Mostly because the net result is the same and it's easier to read. 😉

I'm going to close this and recommend that you follow #1335. But please let me know if you still have questions!