First attempt, simply setting all 5 modules to the requested versions, turned into a big mess.
Then I tried the updates one at a time in separate commits, to see the effects separately and make it easier to backtrack.
The grpc module was the problem-causer. The security scan had offered three "fix" versions: 1.56.3, 1.57.1, and 1.58.3. I first tried the highest option (because why not?) go mod tidy resolved ok, but the build threw a bunch of errors like:
Error: ../../../go/pkg/mod/google.golang.org/grpc@v1.60.0/encoding/encoding.go:88:12: undefined: any
Error: ../../../go/pkg/mod/google.golang.org/grpc@v1.60.0/encoding/encoding.go:90:27: undefined: any
note: module requires Go 1.19
Before accepting that we'd need to raise our minimum golang version (that would be a breaking change, necessitating a 3.0.0 version, wouldn't it?), I tried the lower versions. When I tried 1.56.3, go mod tidy automatically changed it to 1.57.0; I bumped that to 1.57.1, as that was the remaining option from the scan. And that worked: build succeeded and test matrix passed.
First attempt, simply setting all 5 modules to the requested versions, turned into a big mess. Then I tried the updates one at a time in separate commits, to see the effects separately and make it easier to backtrack.
The
grpcmodule was the problem-causer. The security scan had offered three "fix" versions: 1.56.3, 1.57.1, and 1.58.3. I first tried the highest option (because why not?)go mod tidyresolved ok, but the build threw a bunch of errors like:Before accepting that we'd need to raise our minimum golang version (that would be a breaking change, necessitating a
3.0.0version, wouldn't it?), I tried the lower versions. When I tried1.56.3,go mod tidyautomatically changed it to1.57.0; I bumped that to1.57.1, as that was the remaining option from the scan. And that worked: build succeeded and test matrix passed.