check-plugin fix fails for indirect dependencies

[stevenh]

Environment info: KrakenD version: 2.3.6 on linux amd64 using docker image devopsfaith/krakend

Describe the bug If you run krakend check-plugin -f to output fixes for incompatible package versions it provides a go get for each package.

These work as expected for direct dependencies however for indirect dependencies the changes are lost when go mod tidy is run.

For indirect dependencies instead of go get they should should be go mod edit -replace <pkg>=<pkg>@<version> which will pin the indirect dependency ensuring the changes aren't lost by running go mod tidy.

It would also be nice if there was a way to apply the changes, instead of having to write shell scripts to parse and run, I would suggest adding additional flag such as --apply.

[stevenh]

The underlying bug is in krakend-cobra, but keeping this so we can track the dependency update.

[taik0]

The check-plugin apply should be used without running go mod tidy at the end or you will lose all the dependencies "magic".

[stevenh]

Unfortunately pipelines often validate go mod tidy results in no changes or is even part of a pre commit check, however even if this is not the case new dependencies are often introduced, requiring a go mod tidy, so you want a permanent fix that doesn't need to be constantly reapplied.

The fix for this has already been merged in the upstream repo https://github.com/krakend/krakend-cobra/pull/28

Keeping this ticket open until there's a new release and the dependency is updated to include the fix which I'm hoping can also include the https://github.com/krakend/krakend-cobra/pull/29 which fully automates of this process too.