[orivej]

> And then the tool does not even have a proper feature to enable you fixing it on your side (e.g., by pinning a whole dependency tree).

vgo allows you to pin your transitive dependencies to the exact versions of your choice, as long as non of them require a dependency with a higher version than you prefer. (But then, do other dependency managers let you disregard version constraints of your dependencies?)

[wsy]

AFAIK vgo only allows me to pin individual packages, but not whole trees. How would I pin a dependency tree in vgo?

[orivej]

You can copy the output of "vgo list -m" (the list of transitive dependencies with the selected versions) into the "require" section of "go.mod" and increase the versions that you want to change. (The next invocation of "vgo verify" will delete the lines with versions that you did not change because they are implied by the lines with versions that were not deleted.)

[wsy]

thanks for the detailed explanation. That would at least provide a workaround.