I have a question about dependencies in golang.
My application defines a go.mod like this:
module my.host.com/myapp require ( ext1.com/module1 v0.0.1 ) go 1.14
The dependency relationship is：
- ext1.com/module1 v0.0.1 depends on ext3.com/module3 v0.0.3
A security scan detects ext3.com/module3 v0.0.3 is insecure and must be updated to v0.0.4.
Is there a way to "force" myapp to get only module3 v0.0.4, overriding the directives defined in module1 v0.0.1 go.mod?
- Let’s say ext1.com/module1 v0.0.1 is already at the latest version, so upgrading it doesn’t work.
Would "replace" work?
module my.host.com/myapp require ( ext1.com/module1 v0.0.1 ) replace ext3.com/module3 v0.0.3 => ext3.com/module3 v0.0.4 go 1.14
Thanks in advance!
go get -u email@example.com.
This upgrades the module to at least the
Given the dependency
main -> B -> C, when
main requires a higher version of
C than that required by
B, the higher version is selected, with
If the go directive specifies go 1.16 or lower, the go command adds an indirect requirement when the selected version of a module is higher than what is already implied (transitively) by the main module’s other dependencies. That may occur because of an explicit upgrade (go get -u ./…)
I quote this part because your go.mod has
Answered By – blackgreen
Answer Checked By – Candace Johnson (GoLangFix Volunteer)