cmd/go: mod graph does not respect replace directive

[RafalSkolasinski]

What version of Go are you using (go version)?

$ go version
go version go1.14.3 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/rskolasinski/.cache/go-build"
GOENV="/home/rskolasinski/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/rskolasinski/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.14"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.14/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build249408856=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Added following replace statement in my go.mod

golang.org/x/text => golang.org/x/text v0.3.3

in order to replace CVEs affect version v0.3.0 ... v0.3.2 in the dependency tree.

This seem to work properly as freshly generated go.sum does not contain offending libraries.

What did you expect to see?

See the replace rules reflected in the go mod graph command's output.
This should be the case according to the documentation

usage: go mod graph
Graph prints the module requirement graph (with replacements applied)
in text form. Each line in the output has two space-separated fields: a module
and one of its requirements. Each module is identified as a string of the form
path@version, except for the main module, which has no @version suffix.

What did you see instead?

Original dependency graph like without the replace directive

Extra information

My attempt is here: SeldonIO/seldon-core#2211

Extra question: output of go mod vendor && cat vendor/modulex.txt always show the golang.org/x/text in version v0.3.3 - with and without replace rules - why is that the case?

[bcmills]

The replace directive replaces the source code for a given version of the module. It does not reinterpret the version as a different version (as one might expect). As a result, go mod graph should correctly follow the replacement but will attribute the dependencies to the module version being replaced.

#26904 and #26344 are related.

[bcmills]

@RafalSkolasinski, is the output of go mod graph inconsistent with the replacement's go.mod file for you, or is it just not annotating that the module was replaced?

[RafalSkolasinski]

Hi @bcmills, thanks for the reply.

I am just surprised to still see golang.org/x/[email protected] in the output of go mod graph.
I'd expect to only see there golang.org/x/[email protected] version.

[bcmills]

go mod graph reports what is in the module requirement graph. A replace directive replaces the source code for the given module — it does not remove the replaced version from the module graph. So this is working as designed.

[bcmills]

Duplicate of #32058