go install does not work - complains about replace directive

sonatype-nexus-community / nancy

A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Apache License 2.0

549 stars 76 forks source link

go install does not work - complains about replace directive #259

Closed esheri3 closed 2 years ago

esheri3 commented 2 years ago

I install nancy via the 'go install' command. It worked prior to v1.0.30.

Try running the following command:

go install github.com/sonatype-nexus-community/nancy@latest

It will fail with the following error:

    The go.mod file for the module providing named packages contains one or
    more replace directives. It must not contain directives that would cause
    it to be interpreted differently than if it were the main module.

This is a result of the following change:

https://github.com/sonatype-nexus-community/nancy/commit/966edb28ddc98a54a561bddd860976b511051bbb

cc @bhamail / @DarthHater

bhamail commented 2 years ago

Thanks for reporting this! I have run into similar problems due to recent changes in the install command. Basically, install no longer plays nice with any project that uses the replace directive. see: Deprecation of 'go get' for installing executables.

Discussions around this change basically surmised the use of the replace directive is not "common" enough to be a problem. Hrm. ;) Unfortunately, I don't see a way other than the replace directive to resolve vulnerabilities with transitive dependencies who's parent deps are not yet updated. Egg/chicken which....

That said, one workaround I've seen is to fetch and install the desired binary through other means (ugh). I my case, I manually downloaded one of our pre-built nancy binaries and ran it.

Please do post other solutions here!

bhamail commented 2 years ago

So....I think I have a solution: Instead of using a replace directive, manually update the indirect dependency version in the second require stanza of go.mod file. I suspect other perils lurk here, but I think it gets us moving forward again.

I think this allows us to fixed vulnerabilities, while also allowing use of go install. I've pushed some changes, and done a new release of nancy (v1.0.32). Please give that a try and report your findings here. @esheri3

esheri3 commented 2 years ago

@bhamail worked like a charm! this issue has been addressed from my perspective. thank you!