Dependency version inconsistency #6
Description
It is a reminder of dependency version inconsistency introduced by replace directive used in github.com/smallstep/certificates.
Dependency line:
github.com/FederatedAI/FedLCM --> github.com/smallstep/certificates --> go.mozilla.org/pkcs7
github.com/smallstep/certificates v0.23.0 --> github.com/smallstep/pkcs7 e1aab68
https://github.com/smallstep/certificates/blob/v0.23.0/go.mod#L160
Background
Repo github.com/smallstep/certificates at version v0.23.0 uses replace directive to pin dependency github.com/smallstep/pkcs7 to version e1aab68.
According to Go Modules wikis, replace directives in modules other than the main module are ignored when building the main module.
It means such replace usage in dependency's go.mod cannot be inherited when building main module. And it turns out that FederatedAI/FedLCM indirectly relies on go.mozilla.org/pkcs7@33d0574, which is different from the pinned version smallstep/certificates needed.
https://github.com/FederatedAI/FedLCM/blob/main/go.mod(Line 189)
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirecthttps://github.com/smallstep/certificates/blob/v0.23.0/go.mod(line 44&160)
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
...
// use github.com/smallstep/pkcs7 fork with patches applied
replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20221024180420-e1aab68dda05It seems that github.com/smallstep/certificates replaces go.mozilla.org/pkcs7 for some patches applied in github.com/smallstep/pkcs7.
Solution
1. Bump the version of dependency github.com/smallstep/certificates
If it doesn't cause issues at the moment, you may wait github.com/smallstep/certificates to eliminate the use of the replace directive and then update it.
2. Add the same replace rule to your go.mod
replace go.mozilla.org/pkcs7 => github.com/smallstep/pkcs7 v0.0.0-20221024180420-e1aab68dda05Tips: Introduce replace directive may break go install and it can not be inherited by downstream projects. So, this solution is not recommended.