cmd/go: go get tool upgrades tools instead of just downloading them

[willfaught]

Go version

1.24rc1

Output of go env in your module/workspace:

AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/will/Library/Caches/go-build'
GODEBUG=''
GOENV='/Users/will/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/bx/qk0phsxd265fqj512dnnpg080000gp/T/go-build3319980599=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/will/Developer/t/go.mod'
GOMODCACHE='/Users/will/Library/Application Support/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/will/Library/Application Support/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/will/Library/Application Support/go/pkg/mod/golang.org/[email protected]'
GOSUMDB='sum.golang.org'
GOTELEMETRY='off'
GOTELEMETRYDIR='/Users/will/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/will/Library/Application Support/go/pkg/mod/golang.org/[email protected]/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.24rc1'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

I had:

-- t.go --
package main

import (
  "fmt"
)

func main() {
	fmt.Println("t")
}

-- go.mod --
module t

go 1.24rc1

tool golang.org/x/tools/cmd/stringer

require (
	golang.org/x/mod v0.22.0 // indirect
	golang.org/x/sync v0.10.0 // indirect
	golang.org/x/tools v0.26.0 // indirect
)

golang.org/x/[email protected] had never been downloaded on my computer.

$ go get tool

What did you see happen?

It upgraded golang.org/x/tools from v0.26.0 to v0.29.0:

$ go get tool
go: upgraded golang.org/x/tools v0.26.0 => v0.29.0

This is inconsistent with go get:

usage: go get [-t] [-u] [-tool] [build flags] [packages]

Get resolves its command-line arguments to packages at specific module versions,
updates go.mod to require those versions, and downloads source code into the
module cache.

go get -u is meant to upgrade dependencies:

The -u flag instructs get to update modules providing dependencies
of packages named on the command line to use newer minor or patch
releases when available.

What did you expect to see?

It download the version specified in go.mod, and nothing else:

$ go get tool
go: downloading golang.org/x/tools v0.26.0
$

Then, if I want to upgrade the tool:

$ go get -u golang.org/x/tools # or go get -u tool
go: downloading golang.org/x/tools v0.29.0
go: upgraded golang.org/x/tools v0.26.0 => v0.29.0
$

This auto-upgrade behavior is going to be a footgun.

[gabyhelp]

Related Issues

• cmd/go: tools.go/+build tools dependencies in go.mod not updated with any go get -u variant #32345 (closed)
• cmd/go: go get -u on a single module results in indirect modules being updated too #28156 (closed)
• cmd/go: module dependencies not updated with `go get -u` in 1.17 #47768 (closed)
• go get #56314 (closed)
• cmd/go: go build, list etc can upgrade existing dependency versions #28692 (closed)
• cmd/go: automatic toolchain upgrades make the combination of `go version` and `go install <package>@<version>` confusing #66518
• cmd/go: go get forces upgrade without `-u` #35135 (closed)
• cmd/go: GOTOOLCHAIN=version+auto doesn't use the named version in go install package@version #69051 (closed)

Related Code Changes

• cmd/go: make get -u upgrade only modules providing packages

Related Documentation

• Go Modules Reference > Module-aware commands > go get

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

see:

To add a dependency for a package or upgrade it to its latest version:

go get example.com/pkg

tool is a meta package, and go get works consistently in upgrading it to latest.