Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: go mod tidy noop, even though indirect dep versions are wonky #62391

karalabe opened this issue Aug 31, 2023 · 1 comment


Copy link

karalabe commented Aug 31, 2023

What version of Go are you using (go version)?

$ go version
go version go1.21.0 darwin/arm64

Does this issue reproduce with the latest release?


What did you do?

Our project accumulated a lot of dependencies and indirect dependencies in our go.mod file over the years. Whenever touching the deps, we always did go mod tidy to ensure everything's on a correct version. A few weeks ago we've been receiving bug reports about funky version issues and while investigating, we've realised there are indirect dependencies in our go.mod file... that are not actually used at all in our code, neither in any actual dependency.

Go mod tidy is a noop, it doesn't detect nor remove these. If I manually remove all indirect deps from the go.mod file and do a go mod tidy, it resulted in a huge diff with versions changing all over the place compared to the original go.mod and go.sum file. It seems that either something is not detected by go mod tidy correctly, or perhaps the command has some subtlety to it that is not documented?

A repro:

# Check out the go-ethereum repo and the weird commit where we noticed this
$ git clone
$ cd go-ethereum
$ git checkout 41ee96fdfee5924004e8fbf9bbc8aef783893917

# Verify that there's no diff and that go mod tidy is a noop
$ git diff
$ go mod tidy
$ git diff

# DO THIS MANUALLY: delete all the //indirect lines from go.mod, rerun go mod tidy
$ go mod tidy
go: finding module for package
go: finding module for package
go: finding module for package
go: finding module for package
go: found in v0.1.0
go: found in v1.2.1
go: found in v0.3.12
go: found in v3.5.0

$ git diff
[... 400 lines of diff ...]

What did you expect to see?

My expectation is for go mod tidy to generate the same indirect dependency versions, no matter how it is run and with what input as far as indirect deps are concerned.

What did you see instead?

Seems that the indirect dependencies listed in the go.mod file play a role in the result of go mod tidy, which IMO they should not.

Copy link

you can upgrade indirect dependencies, and the result of is recorded in your go.mod.
that won't be replicated if you remove any record of your upgrades by deleting the go.mod lines.

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Aug 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

2 participants