force a transitive dependency version in golang

Issue

I have a question about dependencies in golang.
My application defines a go.mod like this:

module my.host.com/myapp

require (
    ext1.com/module1 v0.0.1
)

go 1.14

The dependency relationship is:

  1. ext1.com/module1 v0.0.1 depends on ext3.com/module3 v0.0.3

A security scan detects ext3.com/module3 v0.0.3 is insecure and must be updated to v0.0.4.

Is there a way to "force" myapp to get only module3 v0.0.4, overriding the directives defined in module1 v0.0.1 go.mod?

  1. Let’s say ext1.com/module1 v0.0.1 is already at the latest version, so upgrading it doesn’t work.

Would "replace" work?

module my.host.com/myapp

require (
    ext1.com/module1 v0.0.1
)

replace ext3.com/module3 v0.0.3 => ext3.com/module3 v0.0.4

go 1.14

Thanks in advance!

Solution

Run go get -u ext3.com/module3@v0.0.4.

This upgrades the module to at least the v0.0.4

Given the dependency main -> B -> C, when main requires a higher version of C than that required by B, the higher version is selected, with // indirect.

See this https://go.dev/ref/mod#go-mod-file-require

If the go directive specifies go 1.16 or lower, the go command adds an indirect requirement when the selected version of a module is higher than what is already implied (transitively) by the main module’s other dependencies. That may occur because of an explicit upgrade (go get -u ./…)

I quote this part because your go.mod has go 1.14

Answered By – blackgreen

Answer Checked By – Candace Johnson (GoLangFix Volunteer)

Leave a Reply

Your email address will not be published.