Hello Sarah, Sarah Morgensen writes: [...] >>> +(define (go.mod-requirements go.mod) >>> + "Compute and return the list of requirements specified by GO.MOD." >>> + (define (replace directive requirements) >>> + (define (maybe-replace module-path new-requirement) >>> + ;; Do not allow version updates for indirect dependencies >>> + ;; TODO: Is this correct behavior? It's in the go.mod for a >>> reason... >> >> According to [1], it seems that yes: "replace directives only apply in >> the main module's go.mod file and are ignored in other modules.", IIUC. >> >> [1] https://golang.org/ref/mod#go-mod-file-replace >> > > My read of it is that if module A requires module B, replace directives > in B's go.mod are ignored, but A's go.mod can replace any module, direct > or indirect. For example, if module B hasn't been updated, but the > version of module C it depends on has a bug that affects it, module A > can use a replace in it's go.mod without requiring an upstream update of > module B. To be fair, this is usually handled by specifying the indirect > dependency with a specific version as a requirement in module A's > go.mod, but the replace should be valid as well. Thank you for explaining. It makes sense. So it seems that we should honor the replacement for any dependency. > The reason it was skipped before, I think (if it was intentional), is > that since we only have the one version of a module in Guix at a time, > it's not necessary to make the indirect dependency explicitly an input, > so don't include it. Sounds plausible! > On the other hand, if it *was* used to avoid a bug > in a version used by an indirect dependency, wouldn't we want to make > sure the Guix package was the fixed version? This is why I was > questioning whether leaving it out was correct. Now that I have a better understanding (I think!), I'd like to propose the attached patch; it should make the replacement logic more in line with the upstream specification. Thanks for the discussion!