Upgrading to last version of dependency without upgrading toolchain?

[TheDiveO]

Up front, I have to admit that I'm struggling with the newly introduced download-your-go-toolchain-on-the-fly when it comes to:

1. having reproducible builds in a CI/CD pipeline without getting downloaded a different toolchain as installed at the stage start,
2. being a module maintained as opposed to being a "leaf" app maintainer without downstream users, while maintaining the N,N-1 go (minor) version guarantee.

Over the years, I've found https://github.com/oligot/go-mod-upgrade to be very useful to me in maintaining my (intermediate) module dependencies. Unfortunately, this tool now breaks down and the author of go-mod-upgrade at this time considers the situation to be a go toolchain upstream problem (https://github.com/oligot/go-mod-upgrade/issues/52#issuecomment-2093537300).

What happens is when I'm on a go 1.21.x toolchain in order to ensure the N,N-1 guarantee, a go-mod-upgrade on a module with a k8s.io/api  "crashes" with the following error, caused by the go command used from go-mod-upgrade under its hood:

Error running go command to discover modules: exit status 1 stderr=go: loading module retractions for k8s.io/a...@v0.26.2: module k8s.io/a...@v0.30.0 requires go >= 1.22.0 (running go 1.21.7; GOTOOLCHAIN=local)

Is there a way in the go command to upgrade to the "latest" dependency that doesn't trigger this error? Manually, I can see that there is a 0.29.4 available. Unfortunately, even a single dependency like this causes go-mod-upgrade to fail completely, so it's back for me to maintaining each and ever of my many deps individually ... which absolutely sucks from the UX perspective as I'm sure you can follow along with. Remember, I simply cannot switch toolchains on a whim, not least due to CI/CD policies.

How to deal with this situation? Is there a way to use the go tool so that it would return only upgrades without toolchain changes? How might the go-mod-upgrade tool work around this situation?

[TheDiveO]

FYI, go-mod-upgrade runs the following command under its hood:

go list -u -mod=readonly -f '{{if (and (not (or .Main .Indirect)) .Update)}}{{.Path}}: {{.Version}} -> {{.Update.Version}}{{end}}' -m all

[TheDiveO]

As I cannot edit the title anymore: it's about upgrading to the last version that can be used without toolchain change, which is not necessarily the "latest" version of a dependency.

[TheDiveO]

For the archeologists, underlying issue has been acknowledged https://github.com/golang/go/issues/67574; sadly, this forum kept schtumm.