Go projects that reference this project are (almost) forced to use gopkg.in/alecthomas/kingpin.v2 instead of github.com/alecthomas/kingpin/v2.
How can we reproduce it?
Take any project that references this one in its go.mod and try to use github.com/alecthomas/kingpin/v2 in the sub project with a replace such as this:
replace gopkg.in/alecthomas/kingpin.v2 v2.2.6 => github.com/alecthomas/kingpin/v2 v2.4.0
then:
❯ go mod why -m all
go: github.com/alecthomas/kingpin/v2@v2.4.0 used for two different module paths (github.com/alecthomas/kingpin/v2 and gopkg.in/alecthomas/kingpin.v2)
This returns an exit code of 1, which makes scanning tools (such as Black Duck) fail their scan. This is why it makes it "impossible" for consumers to use the newer module version of kingpin.
What happened?
Go projects that reference this project are (almost) forced to use
gopkg.in/alecthomas/kingpin.v2instead ofgithub.com/alecthomas/kingpin/v2.How can we reproduce it?
Take any project that references this one in its
go.modand try to usegithub.com/alecthomas/kingpin/v2in the sub project with a replace such as this:replace gopkg.in/alecthomas/kingpin.v2 v2.2.6 => github.com/alecthomas/kingpin/v2 v2.4.0then:
This returns an exit code of 1, which makes scanning tools (such as Black Duck) fail their scan. This is why it makes it "impossible" for consumers to use the newer module version of kingpin.
What environment did it happen in?
Go version: 1.22