Closed hectorj2f closed 10 months ago
I may be misunderstanding this, but is it possible that the reason go mod tidy
removed it from go.mod
is that the dependency is no longer needed at all (any version)?
If the goal is to resolve a vulnerability, and based on other updates, the project no longer has a need for a given Go module dependency, wouldn't it be bette not to add it to replaces
?
@luhring Good question. Yes and no, this can happen in both scenarios, when you don't need a dep (what you mention) or when you really want a specific version of a dependency that is not vulnerable but other deps OR go-mod-tidy reverted that change. For instance, I want a specific version of otel/grpctrace but go mod tidy does revert my change because other deps use another dependency, etc... If I really know that this dep is what I want, I need to add it to replaces (together with other deps otel, otel/sdk...) to instruct go mod tidy to stick with a certain version instead of another.
Whenever we set in deps a dependency that will get removed once
go mod tidy
runs, we need to return a proper error that indicates how to solve it. In this case, the way to solve requires to add it to the list ofreplaces
.