You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Repo github.com/smallstep/certificates at version v0.23.0 uses replace directive to pin dependency github.com/smallstep/pkcs7 to version e1aab68.
According to Go Modules wikis, replace directives in modules other than the main module are ignored when building the main module.
It means such replace usage in dependency's go.mod cannot be inherited when building main module. And it turns out that FederatedAI/FedLCM indirectly relies on go.mozilla.org/pkcs7@33d0574, which is different from the pinned version smallstep/certificates needed.
go.mozilla.org/pkcs7v0.0.0-20210826202110-33d05740a352...// use github.com/smallstep/pkcs7 fork with patches appliedreplacego.mozilla.org/pkcs7=>github.com/smallstep/pkcs7v0.0.0-20221024180420-e1aab68dda05
It seems that github.com/smallstep/certificates replaces go.mozilla.org/pkcs7 for some patches applied in github.com/smallstep/pkcs7.
Solution
1. Bump the version of dependency github.com/smallstep/certificates
If it doesn't cause issues at the moment, you may wait github.com/smallstep/certificates to eliminate the use of the replace directive and then update it.
It is a reminder of dependency version inconsistency introduced by replace directive used in
github.com/smallstep/certificates
.Dependency line:
github.com/FederatedAI/FedLCM --> github.com/smallstep/certificates --> go.mozilla.org/pkcs7
github.com/smallstep/certificates v0.23.0 --> github.com/smallstep/pkcs7 e1aab68
https://github.com/smallstep/certificates/blob/v0.23.0/go.mod#L160
Background
Repo
github.com/smallstep/certificates
at versionv0.23.0
uses replace directive to pin dependencygithub.com/smallstep/pkcs7
to versione1aab68
.According to Go Modules wikis,
replace
directives in modules other than themain module
are ignored when building the main module.It means such replace usage in dependency's go.mod cannot be inherited when building main module. And it turns out that
FederatedAI/FedLCM
indirectly relies ongo.mozilla.org/pkcs7@33d0574
, which is different from the pinned versionsmallstep/certificates
needed.It seems that
github.com/smallstep/certificates
replacesgo.mozilla.org/pkcs7
for some patches applied ingithub.com/smallstep/pkcs7
.Solution
1. Bump the version of dependency
github.com/smallstep/certificates
If it doesn't cause issues at the moment, you may wait
github.com/smallstep/certificates
to eliminate the use of the replace directive and then update it.2. Add the same replace rule to your go.mod
Tips: Introduce replace directive may break go install and it can not be inherited by downstream projects. So, this solution is not recommended.
The text was updated successfully, but these errors were encountered: