Hash mismatch prevents building with `GOPROXY=direct`

[ChandlerSwift]

Describe the bug I generally run go with GOPROXY=direct, which bypasses the Google-run module cache and downloads modules sources directly from their repos. Terragrunt fails to be built with this option set, due to a hash mismatch on an indirect dependency.

To Reproduce I ran these commands in a current golang docker container, to make sure nothing in my environment was causing (additional) issues:

docker pull golang:latest
docker run -it golang:latest

$ git clone --depth=1 https://github.com/gruntwork-io/terragrunt.git
[...]
$ cd terragrunt
$ git rev-parse HEAD
419ea3a485aafc79dd5ca89da615d06b6fd0f991
$ GOPROXY=direct go build main.go
go: downloading github.com/gruntwork-io/go-commons v0.17.1
[...]
go: downloading github.com/hashicorp/hcl v1.0.1-vault
go: downloading github.com/zclconf/go-cty v1.13.2
verifying github.com/hashicorp/hcl@v1.0.1-vault: checksum mismatch
    downloaded: h1:/JhJsLUPC73zeqSbkZApgsofP4iB++zgDHS5t6ZL0Lc=
    go.sum:     h1:UiJeEzCWAYdVaJr8Xo4lBkTozlW1+1yxVUnpbS1xVEk=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Expected behavior This build should succeed.

Additional context I'm not a go packaging expert, so take all this with a healthy grain of salt :) My understanding is that go's tooling all makes the (reasonable) assumption that a tagged release will not change. However, it turns out that 1.0.1-vault is in fact a branch, not a tag, and it has moved. proxy.golang.org, being a caching proxy, provides the first seen version of 1.0.1-vault (which I believe to be https://github.com/hashicorp/hcl/commit/809e678c39ec71ae0b37a792de60b7e10e571dfe), while an install with GOPROXY=direct fetches the tip of the branch from its repo, which is https://github.com/hashicorp/hcl/commit/cf4c4bf2466d28b8fd0e9953ee5eb7caa3af5418.

It doesn't seem to me like there's an obvious way to make the hcl@1.0.1-vault dependency work; either I leave it with an outdated hash so that it works with the proxy (and presumably, for the majority of Go users who don't override the default GOPROXY option), or I update the hash and it works for me but breaks for anyone who uses the default proxy.

However, a fairly straightforward fix would be to either upgrade or downgrade the version of the indirect dependency; it appears to be required only by https://github.com/hashicorp/terraform-config-inspect/blob/master/go.mod#L6C1-L6C61 which merely requires a version greater than v0.0.0-20170504190234-a4b07c25de5f and less than 2.0, so any of the versions listed at https://pkg.go.dev/github.com/hashicorp/hcl?tab=versions (which are all tags, except v1.0.1-vault which we had the bad luck to land on) should work.

[ChandlerSwift]

If either a downgrade to hcl@v1.0.0 or an upgrade to hcl@v1.0.1-vault-5 (the newest 1.x version) or something else entirely makes sense, I'd be happy to open a PR for such! But I figured I'd make sure that made sense before making and testing a PR.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for raising this issue.

[ChandlerSwift]

This is still an issue.