I have a question about dependencies in golang. My application defines a go.mod like this:

module my.host.com/myapp

require (
    ext1.com/module1 v0.0.1
)

go 1.14

ext1.com/module1 depends on ext2.com/module2 v0.0.2, which in turn depends on ext3.com/module3 v0.0.3

A security scan detects ext3.com/module3 v0.0.3 is insecure and must be updated to v0.0.4. Is there a way to "force" myapp to get only repo3.com/module3 v0.0.4, overriding the directives defined in module2 v0.0.2 go.mod? Let's say ext1.com/module1 v0.0.1 is already at the latest version, so upgrading it doesn't work. "Exclude ext3.com/module3 v0.0.3" also doesn't work: the build succeeds (golang 1.17.2), but there's a runtime error. Would "replace" work? Assuming ext2 v0.0.3 depends on the safe ext3 v0.0.4, I mean:

module my.host.com/myapp

require (
    ext1.com/module1 v0.0.1
)

replace ext2.com/module2 v0.0.2 => ext2.com/module2 v0.0.3

go 1.14

Thanks in advance!

CodePudding user response：

Run go get -u ext3.com/[email protected].

This upgrades the module to at least the v0.0.4

Given the dependency main -> B -> C, when main requires a higher version of C than that required by B, the higher version is selected, with // indirect.

See this https://go.dev/ref/mod#go-mod-file-require

If the go directive specifies go 1.16 or lower, the go command adds an indirect requirement when the selected version of a module is higher than what is already implied (transitively) by the main module’s other dependencies. That may occur because of an explicit upgrade (go get -u ./...)

I quote this part because your go.mod has go 1.14