Note that cmd/go itself does not allow replace directives to be recursive. (Only the directives from the main module are in effect.) Not sure if that changes what you want to do in x/vuln. 🤔

I think this refers to replace directives who's target is replaced by another replace directive in the same go.mod

I don't think those are recursive either. (In theory you could do a path-swap that way, but in practice it shouldn't be possible because the module declarations in the go.mod file won't match.)

Hmm, it lets you declare it, but then does not use it

a go.mod with

replace golang.org/x/text v0.9.0 => golang.org/x/text v0.5.0
replace golang.org/x/text v0.5.0 => golang.org/x/text v0.3.0
require golang.org/x/text v0.9.0

is valid, but will use golang.org/x/text v0.5.0 not golang.org/x/text v0.3.0 according to go list
maybe that should be an error?
Either way, it seems like there is nothing to do for govulncheck

Change https://go.dev/cl/498056 mentions this issue: internal/scan: change replace handling