Closed esheri3 closed 2 years ago
Thanks for reporting this! I have run into similar problems due to recent changes in the install
command. Basically, install
no longer plays nice with any project that uses the replace
directive. see: Deprecation of 'go get' for installing executables.
Discussions around this change basically surmised the use of the replace
directive is not "common" enough to be a problem. Hrm. ;)
Unfortunately, I don't see a way other than the replace
directive to resolve vulnerabilities with transitive dependencies who's parent deps are not yet updated. Egg/chicken which....
That said, one workaround I've seen is to fetch and install the desired binary through other means (ugh). I my case, I manually downloaded one of our pre-built nancy binaries and ran it.
Please do post other solutions here!
So....I think I have a solution: Instead of using a replace
directive, manually update the indirect
dependency version in the second require
stanza of go.mod
file. I suspect other perils lurk here, but I think it gets us moving forward again.
I think this allows us to fixed vulnerabilities, while also allowing use of go install
. I've pushed some changes, and done a new release of nancy (v1.0.32). Please give that a try and report your findings here. @esheri3
@bhamail worked like a charm! this issue has been addressed from my perspective. thank you!
I install nancy via the 'go install' command. It worked prior to v1.0.30.
Try running the following command:
go install github.com/sonatype-nexus-community/nancy@latest
It will fail with the following error:
This is a result of the following change:
https://github.com/sonatype-nexus-community/nancy/commit/966edb28ddc98a54a561bddd860976b511051bbb
cc @bhamail / @DarthHater