version in go.mod is changed by dependent's go.sum file.

[cinakyn]

What version of Go are you using (go version)?

$ go version
go version go1.12.7 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GOARCH="amd64"
GOBIN="/Users/username/go/bin"
GOCACHE="/Users/username/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/username/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/username/projname/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/hc/g8gwp8j91x165vx6fcytr26r0000gn/T/go-build805725642=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

$mkdir test; cd test

$go mod init test

$echo "package main\n import (\n _ \"github.com/valyala/fasthttp\"\n )\n func main() {}" > main.go

$echo "module test\ngo 1.12\nrequire github.com/valyala/fasthttp v1.1.0" > go.mod

$go fmt

$cat main.go
package main

import (
	_ "github.com/valyala/fasthttp"
)

func main() {}

$cat go.sum
module test

go 1.12

require github.com/valyala/fasthttp v1.1.0

$ go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.17.1
go: finding github.com/golangci/golangci-lint/cmd/golangci-lint v1.17.1
go: finding github.com/golangci/golangci-lint/cmd v1.17.1

What did you expect to see?

$ cat go.mod
module test

go 1.12

require (
	github.com/golangci/golangci-lint v1.17.1 // indirect
	github.com/valyala/fasthttp v1.1.0
)

What did you see instead?

$ cat go.mod
module test

go 1.12

require (
	github.com/golangci/golangci-lint v1.17.1 // indirect
	github.com/valyala/fasthttp v1.2.0
)

Detail

(I'm not a native english user)

After installing example module(github.com/golangci/golangci-lint), You can see version of fasthttp in go.mod has been changed to v1.2.0.
But golangci-lint never uses the fasthttp(https://github.com/golangci/golangci-lint/blob/v1.17.1/go.mod). It only exists in go.sum(https://github.com/golangci/golangci-lint/blob/v1.17.1/go.sum).
User have to change the version of fasthttp if he want to use golangci-lint even though golangci never uses the fasthttp.

[av86743]

https://golang.org/cmd/go/#hdr-Maintaining_module_requirements

The 'go get' command updates go.mod to change the module versions used in a build. An upgrade of one module may imply upgrading others, and similarly a downgrade of one module may imply downgrading others. The 'go get' command makes these implied changes as well. If go.mod is edited directly, commands like 'go build' or 'go list' will assume that an upgrade is intended and automatically make any implied upgrades and update go.mod to reflect them.

Looks like your case.

golangci/golangci-lint was added to go.mod because fasthttp uses it for testing (presumably.)

Testing dependencies are not downloaded by default, but are always added to go.mod without any indication what they are. To make things more cryptic. And funnier.

[cinakyn]

(fasthttp and golangci-lint are just modules for example)

I totally agree with upgrading my version of fasthttp if it placed in go.mod of golangci-lint. but it's not. That exists only in go.sum of golangci-lint

[av86743]

Take a look at an actual build of github.com/golangci/golangci-lint and its actual go.mod and go.sum in your $GOPATH/pkg/mod directory.

[av86743]

But golangci-lint never uses the fasthttp(https://github.com/golangci/golangci-lint/blob/v1.17.1/go.mod).

Actually it does (v1.2.0, via chain of dependencies.)

[bcmills]

As @av86743 notes, this version requirement arises transitively through github.com/golangci/golangci-lint v1.17.1. The go.mod file is not a lockfile: it defines a single node in the module graph, not the entire contents of the graph.

However, note that the go.mod file for golangci-lint does include an invalid requirement, so you'll need to apply some replace directives to get it to work with go1.13beta1. (See golangci/golangci-lint#581.)

Using go1.12.6 (which does not validate pseudo-versions as strictly), you can see that the dependency comes via the github.com/valyala/quicktemplate module:

example.com$ go1.12.6 get -d github.com/golangci/golangci-lint/cmd/golangci-lint
go: finding github.com/golangci/golangci-lint/cmd/golangci-lint latest
go: finding github.com/golangci/golangci-lint/cmd latest

example.com$ go1.12.6 mod graph | grep quicktemplate
github.com/golangci/golangci-lint@v1.17.1 github.com/valyala/quicktemplate@v1.1.1
github.com/valyala/quicktemplate@v1.1.1 github.com/klauspost/compress@v1.4.1
github.com/valyala/quicktemplate@v1.1.1 github.com/klauspost/cpuid@v1.2.0
github.com/valyala/quicktemplate@v1.1.1 github.com/valyala/bytebufferpool@v1.0.0
github.com/valyala/quicktemplate@v1.1.1 github.com/valyala/fasthttp@v1.2.0

example.com$