Potential collision and risk from indirect dependency onsi/ginkgo

[HappyHacker123]

Description

google/trillian has already opted into module and indirectly depends on onsi/ginkgo through a GOPATH project. And project onsi/ginkgo already opted into module and released a v2+ version with the major branch strategy. The latest module path of onsi/ginkgo is "github.com/onsi/ginkgo/v2" . From module-unaware project\'s perspective, it interprets the import path "github.com/onsi/ginkgo" as onsi/ginkgo\'s latest version. But from the Go Modules\' point of view, path "github.com/onsi/ginkgo" equals to version v0/v1 or the latest version that doesn’t use the module. So when you try to get onsi/ginkgo through the indirect path "github.com/onsi/ginkgo" which comes from module-unaware project, the module pulls the old version of onsi/ginkgo. This causes version of onsi/ginkgo , which you are dependent on, sticked at the old version onsi/ginkgo .
Same to these indirect dependencies:.

Possible solution

Add a replace directive in your go.mod files with version information to avoid sticking at the old version.

[roger2hk]

The indirect dependency github.com/onsi/ginkgo comes from github.com/go-redis/redis, which has been evolved to github.com/redis/go-redis/v9.

➜  trillian git:(master) go mod why github.com/onsi/ginkgo 
# github.com/onsi/ginkgo
github.com/google/trillian/quota/redis/redistb
github.com/go-redis/redis
github.com/go-redis/redis.test
github.com/onsi/ginkgo

Suggested Fix

Upgrading from github.com/go-redis/redis v6.15.9+incompatible to github.com/redis/go-redis/v9 v9.6.1 should bump the indirect dependency to github.com/onsi/ginkgo/v2.