A project has an indirect dependency on a library version with a known security vulnerability. How can you force the build to use a patched version?
Go & Rust interview question for Advanced practice.
Answer
Add a direct require directive for the secure version to myapp/go.mod: require github.com/anotherorg/anotherlib v1.2.1.
Explanation
Option B is correct. The project has an indirect dependency on anotherlib v1.2.0 via lib v1.0.0. To override this and use the required secure version, you can add anotherlib v1.2.1 as a direct dependency to your main module (myapp). Due to Go's Minimal Version Selection, the toolchain will see both requirements (v1.2.0 from lib and v1.2.1 from myapp) and select the highest one, v1.2.1, for the entire build.