Minimal version selection
Understand that Go chooses the minimum required dependency versions in the graph, not the newest releases available.
Canonical guidance
- Go selects the minimum version needed to satisfy module requirements
- upgrade dependencies intentionally
- read
go.modchanges as version-selection policy, not just lockfile noise
Use when
- debugging dependency versions
- reviewing module diffs
- planning upgrades across large repos
Avoid
- assuming transitive dependencies float to the latest release
- treating
go mod tidyoutput as unimportant - expecting semver ranges like other ecosystems
Preferred pattern
go get example.com/[email protected]
go mod tidy
Anti-pattern
- assuming a security or bugfix release is active because it exists upstream, even though no requirement in the graph demands it
Explanation: This anti-pattern is tempting because many ecosystems float versions, but Go’s module solver is intentionally more predictable.
Why
- minimal version selection trades surprise-free builds for explicit upgrade responsibility
Related pages
Sources
- Go Modules Reference - Go Team