force a transitive dependency version in golang

Question

I have a question about dependencies in golang. My application defines a go.mod like this:

module my.host.com/myapp

require (
    ext1.com/module1 v0.0.1
)

go 1.14

The dependency relationship is：

1. ext1.com/module1 v0.0.1 depends on ext3.com/module3 v0.0.3

A security scan detects ext3.com/module3 v0.0.3 is insecure and must be updated to v0.0.4 .

Is there a way to "force" myapp to get only module3 v0.0.4 , overriding the directives defined in module1 v0.0.1 go.mod?

1. Let's say ext1.com/module1 v0.0.1 is already at the latest version, so upgrading it doesn't work.

Would "replace" work?

module my.host.com/myapp

require (
    ext1.com/module1 v0.0.1
)

replace ext3.com/module3 v0.0.3 => ext3.com/module3 v0.0.4

go 1.14

Thanks in advance!

Answer 1

Run go get -u ext3.com/module3@v0.0.4 .

This upgrades the module to at least the v0.0.4

Given the dependency main -> B -> C , when main requires a higher version of C than that required by B , the higher version is selected, with // indirect .

See this https://go.dev/ref/mod#go-mod-file-require

If the go directive specifies go 1.16 or lower, the go command adds an indirect requirement when the selected version of a module is higher than what is already implied (transitively) by the main module's other dependencies. That may occur because of an explicit upgrade (go get -u./...)

I quote this part because your go.mod has go 1.14