patterngoModerate
Go modules: understanding go.mod and go.sum
Viewed 0 times
Go 1.11+
go modulesgo.modgo.sumgo getgo mod tidyMVSmodule versioning
Error Messages
Problem
Developers unfamiliar with Go modules struggle with adding dependencies, updating versions, and understanding the role of go.sum in reproducible builds.
Solution
Key commands and concepts:
go.mod declares required modules and minimum versions.
go.sum contains expected cryptographic hashes — commit both files.
# Initialize a module
go mod init github.com/org/repo
# Add a dependency (updates go.mod and go.sum)
go get github.com/some/package@v1.2.3
# Remove unused dependencies
go mod tidy
# Vendor dependencies for offline/reproducible builds
go mod vendor
go build -mod=vendor ./...
# Upgrade all dependencies to latest minor/patch
go get -u ./...
# Show dependency graph
go mod graphgo.mod declares required modules and minimum versions.
go.sum contains expected cryptographic hashes — commit both files.
Why
Go modules use Minimum Version Selection (MVS): the build always uses the minimum version that satisfies all requirements. go.sum prevents supply-chain attacks by verifying downloaded module content against known hashes.
Gotchas
- go get with no version selects the latest tagged release, not the latest commit
- replace directives in go.mod are not inherited by dependents — useful for local development only
- GONOSUMCHECK and GONOSUMDB can bypass sum verification; avoid in production
Revisions (0)
No revisions yet.