Menu
I have a program with source code hosted on GitHub that uses Go Modules introduced in go 1.11.
go.mod file describes my dependencies, but go.sum file seems to be a lockfile. Should I be adding go.sum to my repository or should I gitignore it?
847
go. sum is a generated file you don't have to edit or modify this file. Now the go.mod has added all the modules with the version in “require” node, a sample go.mod file looks something like this: A sample go.mod file. “module” implies the url maintained for version control i.e module declaration.
sum file may contain hashes for multiple versions of a module. The go command may need to load go. mod files from multiple versions of a dependency in order to perform minimal version selection. go. sum may also contain hashes for module versions that aren't needed anymore (for example, after an upgrade).
The go. mod file defines the module's module path, which is also the import path used for the root directory, and its dependency requirements, which are the other modules needed for a successful build. Each dependency requirement is written as a module path and a specific semantic version.
The go mod vendor command constructs a directory named vendor in the main module's root directory that contains copies of all packages needed to support builds and tests of packages in the main module. Packages that are only imported by tests of packages outside the main module are not included.
https://github.com/golang/go/wiki/Modules#releasing-modules-all-versions:
Ensure your go.sum file is committed along with your go.mod file.
176
(Building on a previous answer.)
Yes, commit go.sum.
Ensure your
go.sumfile is committed along with yourgo.modfile. See FAQ below for more details and rationale.
From the FAQ:
Should I commit my 'go.sum' file as well as my 'go.mod' file?
Typically your module's
go.sumfile should be committed along with yourgo.modfile.
go.sumcontains the expected cryptographic checksums of the content of specific module versions.- If someone clones your repository and downloads your dependencies using the go command, they will receive an error if there is any mismatch between their downloaded copies of your dependencies and the corresponding entries in your
go.sum.- In addition,
go mod verifychecks that the on-disk cached copies of module downloads still match the entries ingo.sum.- Note that
go.sumis not a lock file as used in some alternative dependency management systems. (go.modprovides enough information for reproducible builds).- See very brief rationale here from Filippo Valsorda on why you should check in your
go.sum. See the "Module downloading and verification" section of the tip documentation for more details. See possible future extensions being discussed for example in #24117 and #25530.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
