Delete dependencies on older versions

[KeiichiHirobe]

I want to delete dependencies on github.com/satori/go.uuid because it is vulnerable.

# master branch of https://github.com/jackc/pgx
$ pwd
/home/go/src/github.com/pgx
$ go mod graph | grep satori
github.com/jackc/pgtype@v0.0.0-20190828014616-a8802b16cc59 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgx/v4@v4.0.0-pre1.0.20190824185557-6972a5742186 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgtype@v0.0.0-20190824184912-ab885b375b90 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgx/v4@v4.0.0-20190421002000-1b8f0016e912 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgtype@v0.0.0-20190421001408-4ed0de4755e0 github.com/satori/go.uuid@v1.2.0
github.com/jackc/pgx/v4@v4.0.0-20190420224344-cc3461e65d96 github.com/satori/go.uuid@v1.2.0

But, maybe we cannot do that because there are cyclic dependencies between modules as below(this is part of go mod graph outputs) .

github.com/jackc/pgx/v4 ->
github.com/jackc/pgtype@v1.8.0 ->
github.com/jackc/pgconn@v1.8.1 ->
github.com/jackc/pgmock@v0.0.0-20190831213851-13a1b77aafa2 ->
github.com/jackc/pgtype@v0.0.0-20190828014616-a8802b16cc59 ->
github.com/satori/go.uuid@v1.2.0

github.com/jackc/pgmock depends on github.com/jackc/pgconn, and vice versa.
github.com/jackc/pgx depends on github.com/jackc/pgtype, and vice versa.

I don't fully understand, but I think we cannot delete dependencies on older versions completely even if update module like #5.

Am I right?
If yes, do you have any plan to resolve this?

Related Issues:

• Upgrade v4.10.1 => v4.11.0 makes dependency graph bloated pgx#977
• UUID Package Introduces Vulnerability  go-gorm/postgres#52