cmd/go: `go get tool` upgrades tools instead of just downloading them

cmd/go: `go get tool` upgrades tools instead of just downloading them
DRANK

Go version 1.24rc1 Output of go env in your module/workspace: AR='ar' CC='clang' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_ENABLED='1' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' CXX='clang++' GCCGO='gccgo' GO111MODULE='' GOARCH='arm64' GOARM64='v8.0' GOAUTH='netrc' GOBIN='' GOCACHE='/Users/will/Library/Caches/go-build' GODEBUG='' GOENV='/Users/will/Library/Application Support/go/env' GOEXE='' GOEXPERIMENT='' GOFIPS140='off' GOFLAGS='' GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/bx/qk0phsxd265fqj512dnnpg080000gp/T/go-build3319980599=/tmp/go-build -gno-record-gcc-switches -fno-common' GOHOSTARCH='arm64' GOHOSTOS='darwin' GOINSECURE='' GOMOD='/Users/will/Developer/t/go.mod' GOMODCACHE='/Users/will/Library/Application Support/go/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='darwin' GOPATH='/Users/will/Library/Application Support/go' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/Users/will/Library/Application Support/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24rc1.darwin-arm64' GOSUMDB='sum.golang.org' GOTELEMETRY='off' GOTELEMETRYDIR='/Users/will/Library/Application Support/go/telemetry' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/Users/will/Library/Application Support/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.24rc1.darwin-arm64/pkg/tool/darwin_arm64' GOVCS='' GOVERSION='go1.24rc1' GOWORK='' PKG_CONFIG='pkg-config' What did you do? I had: -- t.go -- package main import ( "fmt" ) func main() { fmt.Println("t") } -- go.mod -- module t go 1.24rc1 tool golang.org/x/tools/cmd/stringer require ( golang.org/x/mod v0.22.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/tools v0.26.0 // indirect ) golang.org/x/tools@v0.26.0 had never been downloaded on my computer. $ go get tool What did you see happen? It upgraded golang.org/x/tools from v0.26.0 to v0.29.0: $ go get tool go: upgraded golang.org/x/tools v0.26.0 => v0.29.0 This is inconsistent with go get: usage: go get [-t] [-u] [-tool] [build flags] [packages] Get resolves its command-line arguments to packages at specific module versions, updates go.mod to require those versions, and downloads source code into the module cache. go get -u is meant to upgrade dependencies: The -u flag instructs get to update modules providing dependencies of packages named on the command line to use newer minor or patch releases when available. What did you expect to see? It download the version specified in go.mod, and nothing else: $ go get tool go: downloading golang.org/x/tools v0.26.0 $ Then, if I want to upgrade the tool: $ go get -u golang.org/x/tools # or go get -u tool go: downloading golang.org/x/tools v0.29.0 go: upgraded golang.org/x/tools v0.26.0 => v0.29.0 $ This auto-upgrade behavior is going to be a footgun.

github.com a year ago

Open page

https://github.com/golang/go/issues/71289