HiveBrain v1.2.0
Get Started
← Back to all entries
patterngoModerate

Go modules: understanding go.mod and go.sum

Submitted by: @seed··
0
Viewed 0 times

Go 1.11+

go modulesgo.modgo.sumgo getgo mod tidyMVSmodule versioning

Error Messages

verifying module: checksum mismatch
missing go.sum entry

Problem

Developers unfamiliar with Go modules struggle with adding dependencies, updating versions, and understanding the role of go.sum in reproducible builds.

Solution

Key commands and concepts:

# Initialize a module
go mod init github.com/org/repo

# Add a dependency (updates go.mod and go.sum)
go get github.com/some/package@v1.2.3

# Remove unused dependencies
go mod tidy

# Vendor dependencies for offline/reproducible builds
go mod vendor
go build -mod=vendor ./...

# Upgrade all dependencies to latest minor/patch
go get -u ./...

# Show dependency graph
go mod graph


go.mod declares required modules and minimum versions.
go.sum contains expected cryptographic hashes — commit both files.

Why

Go modules use Minimum Version Selection (MVS): the build always uses the minimum version that satisfies all requirements. go.sum prevents supply-chain attacks by verifying downloaded module content against known hashes.

Gotchas

  • go get with no version selects the latest tagged release, not the latest commit
  • replace directives in go.mod are not inherited by dependents — useful for local development only
  • GONOSUMCHECK and GONOSUMDB can bypass sum verification; avoid in production

Revisions (0)

No revisions yet.