Unable to replace github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt/[email protected]

[isishan]

I have a golang module that uses some 3rd party packages that still use github.com/dgrijalva/jwt-go
As a result, I am adding a replace directive to refer to github.com/golang-jwt/jwt/v4 instead.

It looked like this in go.mod file,
replace github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/golang-jwt/jwt/v4 v4.4.2

Recently discovered some vulnerabilities which have been fixed in v4.5.2 so edited the replace directive to look like this
replace github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/golang-jwt/jwt/v4 v4.5.2

But with this change, when I run go mod tidy, I see the below error,
go: github.com/golang-jwt/jwt/[email protected] used for two different module paths (github.com/dgrijalva/jwt-go and github.com/golang-jwt/jwt/v4)

I tried with v4.5.1, it works fine (but has a vulnerability, so can't use it). The issue is just with v4.5.2
Kindly help, thanks!

[oxisto]

Hmmm interesting. We did not change anything in the 4.5.2 release besides that fix. Maybe you updated Go versions in the meantime and they have a different behavior? Are you able to share a link to the project?

[isishan]

Hi, thanks for replying

I tried with go 1.24.1, 1.23.7, 1.23.6 and 1.23.5 and seeing the same behavior.

I can't share the project as it is on a private company server. But it is easily reproducible.

[isishan]

Hi @oxisto, Any update?

[mfridman]

I'm afraid there isn't much we can do here. It could be related to compatibility issues between legacy non-Go module projects. One that comes to mind is golang/go#26904

Also, your project should still compile and run. The "used for two different module paths" is a warning that is coming from the Go toolchain.