You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's currently not possible to go install github.com/snyk/vervet/v3@latest. This is what happens if you try:
$ go install github.com/snyk/vervet/v3@latest
go install: github.com/snyk/vervet/v3@latest (in github.com/snyk/vervet/v3@v3.1.4):
The go.mod file for the module providing named packages contains one or
more replace directives. It must not contain directives that would cause
it to be interpreted differently than if it were the main module.
So there's two questions that will probably come to mind:
Why are we using the replace directive?
Vervet currently uses replace because it has a transitive dependency (dependency of a dependency of a ...) which depends on a version of golang.org/x/crypto which has security vulnerabilities detected by Snyk. While I'm trying to contribute fixes to these upstreams -- go-git/go-git#454, https://github.com/xanzy/ssh-agent may also need similar -- these vulns can be mitigated right now by overriding the affected module with a replace directive -- this allows us to build a more secure release of vervet.
Why can't I go install a binary from a module that uses replace?
Good question. The Go developers have decided not to allow it. While I appreciate Go's relentless push for simplicity, I wonder if we're missing some nuance here, especially when it comes to security concerns like the one we've encountered here.
It's currently not possible to
go install github.com/snyk/vervet/v3@latest
. This is what happens if you try:So there's two questions that will probably come to mind:
Why are we using the replace directive?
Vervet currently uses
replace
because it has a transitive dependency (dependency of a dependency of a ...) which depends on a version ofgolang.org/x/crypto
which has security vulnerabilities detected by Snyk. While I'm trying to contribute fixes to these upstreams -- go-git/go-git#454, https://github.com/xanzy/ssh-agent may also need similar -- these vulns can be mitigated right now by overriding the affected module with a replace directive -- this allows us to build a more secure release of vervet.Why can't I
go install
a binary from a module that usesreplace
?Good question. The Go developers have decided not to allow it. While I appreciate Go's relentless push for simplicity, I wonder if we're missing some nuance here, especially when it comes to security concerns like the one we've encountered here.
Reference issues on this topic in Go:
In the meantime, what's the workaround?
For the time being, to install vervet you'll either need to
npm install -g @snyk/vervet@^3.1.0
git clone
andmake build
locally, and install the binary into your $PATH.We might also add more distribution channels to make it easier to get vervet. Homebrew, Nix, etc. Contributions here would be welcome!
The text was updated successfully, but these errors were encountered: