Replaces fails - if the upstream project has defined the dependency in both a 'replace' and a 'require' block

[mamccorm]

Example:

• https://github.com/rancher/rancher/blob/v2.8.7/go.mod

Upstream have set this in the 'replace' section:

github.com/containerd/containerd => github.com/containerd/containerd v1.6.22

And they also have this in the 'require' section:

github.com/containerd/containerd v1.7.6

If you try doing this using go/bump:

  - uses: go/bump
      replaces: github.com/containerd/containerd=github.com/containerd/containerd@v1.6.22

It'll fail to apply, and complain that a newer version is already set (i.e in the require section). This is a bit of a strange implementation by the upstream project.

To address, we should drop the check that looks for a newer version in the go.mod, if the version is set in the 'replaces' block

[hectorj2f]

I agree it looks like a weird configuration for their dependencies. I believe if we could allow setting only the replaces block in gobump this issue could be solved as well.