Proposal Details

With the latest CVE-2024-45337 I faced the need to avoid usage of affected versions 'golang.org/x/crypto'.
There are two ways.
The first is to use the 'replace' directive, it will look like this:
replace golang.org/x/crypto => golang.org/x/crypto v0.31.0 // avoiding CVE-2024-45337
The second is the 'exclude' directive, it will look like this:

exclude (
	// avoiding CVE-2024-45337, the fixed version of 'crypto' is 0.31.0
	golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
	<... 8 similar lines, the set depends on a project's dependency tree ...>
	golang.org/x/crypto v0.27.0
)

I want to prefer the second option, because

• it does not block golang.org/x/crypto from upgrading in the future
• there is no need to return to this in the future to remove/upgrade the replace directive
• do exactly what I need: mark some versions as prohibited to use.

But it is

• verbose
• if a new dependency would use crypto that is not in the list, but still affected, it will be able to add this to the dependencies. Need to keep track to this.

I would like to do something like that:

exclude (
	// avoiding CVE-2024-45337, the fixed version of 'crypto' is 0.31.0
	golang.org/x/crypto v0.0.0-v0.30.0
)

In other words, I think it would be beneficial for Go if the exclude directory to support version ranges the same way as retract can.