Skip to content

cmd/go: go get tool upgrades tools instead of just downloading them #71289

Not planned
@willfaught

Description

@willfaught

Go version

1.24rc1

Output of go env in your module/workspace:

AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/will/Library/Caches/go-build'
GODEBUG=''
GOENV='/Users/will/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/bx/qk0phsxd265fqj512dnnpg080000gp/T/go-build3319980599=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/will/Developer/t/go.mod'
GOMODCACHE='/Users/will/Library/Application Support/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/will/Library/Application Support/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/will/Library/Application Support/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24rc1.darwin-arm64'
GOSUMDB='sum.golang.org'
GOTELEMETRY='off'
GOTELEMETRYDIR='/Users/will/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/will/Library/Application Support/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24rc1.darwin-arm64/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.24rc1'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

I had:

-- t.go --
package main

import (
  "fmt"
)

func main() {
	fmt.Println("t")
}

-- go.mod --
module t

go 1.24rc1

tool golang.org/x/tools/cmd/stringer

require (
	golang.org/x/mod v0.22.0 // indirect
	golang.org/x/sync v0.10.0 // indirect
	golang.org/x/tools v0.26.0 // indirect
)

golang.org/x/tools@v0.26.0 had never been downloaded on my computer.

$ go get tool

What did you see happen?

It upgraded golang.org/x/tools from v0.26.0 to v0.29.0:

$ go get tool
go: upgraded golang.org/x/tools v0.26.0 => v0.29.0

This is inconsistent with go get:

usage: go get [-t] [-u] [-tool] [build flags] [packages]

Get resolves its command-line arguments to packages at specific module versions,
updates go.mod to require those versions, and downloads source code into the
module cache.

go get -u is meant to upgrade dependencies:

The -u flag instructs get to update modules providing dependencies
of packages named on the command line to use newer minor or patch
releases when available.

What did you expect to see?

It download the version specified in go.mod, and nothing else:

$ go get tool
go: downloading golang.org/x/tools v0.26.0
$

Then, if I want to upgrade the tool:

$ go get -u golang.org/x/tools # or go get -u tool
go: downloading golang.org/x/tools v0.29.0
go: upgraded golang.org/x/tools v0.26.0 => v0.29.0
$

This auto-upgrade behavior is going to be a footgun.

Activity

added
ToolProposalIssues describing a requested change to a Go tool or command-line program.
on Jan 16, 2025
seankhliao

seankhliao commented on Jan 16, 2025

@seankhliao
Member

see:

To add a dependency for a package or upgrade it to its latest version:

go get example.com/pkg

tool is a meta package, and go get works consistently in upgrading it to latest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    ToolProposalIssues describing a requested change to a Go tool or command-line program.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @willfaught@seankhliao@gabyhelp

        Issue actions

          cmd/go: `go get tool` upgrades tools instead of just downloading them · Issue #71289 · golang/go