CVE-2020-16845 still occurs on dependant products

[mishas]

Hello @naveensrinivasan and @fergusstrange ,

I just updated embedded-postgres to v1.11.0, and I still get the github.com/ulikunitz/xz@v0.5.6 dependency in my go.sum (after go mod tidy).

I think the reason for this is, that in #42 , you've used a replace directive, that only does something local, instead of a require (// indirect) directive that would affect projects depending on yours.
From https://golang.org/ref/mod#go-mod-file-replace:

replace directives only apply in the main module’s go.mod file and are ignored in other modules. See Minimal version selection for details.

I think the following fix will do the trick:

- replace github.com/ulikunitz/xz => github.com/ulikunitz/xz v0.5.8
+ require github.com/ulikunitz/xz v0.5.10 // indirect

(Please also note, that there's no reason to use v0.5.8 when v0.5.10 is available)

[fergusstrange]

Ah good spot, this one slipped me by. I'll take a look at getting that PR in over this weekend.

[fergusstrange]

Hey @mishas this is now merged in and appears to be working well on a number of my own projects. I have released at v1.11.0 if you wanted to give it a try!

Thanks for all the feedback and patience, this was probably the longest running PR we've had!

[mishas]

Thank you very much!
Appreciate it!