force a transitive dependency version in golang


I have a question about dependencies in golang.
My application defines a go.mod like this:


require ( v0.0.1

go 1.14

The dependency relationship is:

  1. v0.0.1 depends on v0.0.3

A security scan detects v0.0.3 is insecure and must be updated to v0.0.4.

Is there a way to "force" myapp to get only module3 v0.0.4, overriding the directives defined in module1 v0.0.1 go.mod?

  1. Let’s say v0.0.1 is already at the latest version, so upgrading it doesn’t work.

Would "replace" work?


require ( v0.0.1

replace v0.0.3 => v0.0.4

go 1.14

Thanks in advance!


Run go get -u

This upgrades the module to at least the v0.0.4

Given the dependency main -> B -> C, when main requires a higher version of C than that required by B, the higher version is selected, with // indirect.

See this

If the go directive specifies go 1.16 or lower, the go command adds an indirect requirement when the selected version of a module is higher than what is already implied (transitively) by the main module’s other dependencies. That may occur because of an explicit upgrade (go get -u ./…)

I quote this part because your go.mod has go 1.14

Answered By – blackgreen

Answer Checked By – Candace Johnson (GoLangFix Volunteer)

Leave a Reply

Your email address will not be published.