Skip to content

fix(go_modules): preserve unrelated go.mod checksums in go.sum#15056

Closed
v-HaripriyaC wants to merge 1 commit into
mainfrom
chp/go-removes-hashes-14872
Closed

fix(go_modules): preserve unrelated go.mod checksums in go.sum#15056
v-HaripriyaC wants to merge 1 commit into
mainfrom
chp/go-removes-hashes-14872

Conversation

@v-HaripriyaC
Copy link
Copy Markdown
Contributor

@v-HaripriyaC v-HaripriyaC commented May 18, 2026

When Go tooling (go get, go mod tidy) runs during a dependency update, it can prune go.mod checksum entries for indirect/transitive dependencies that aren't strictly needed for building. This causes Dependabot PRs to unexpectedly remove hash entries from go.sum that go mod tidy would keep.

Add reconcile_go_sum to detect go.mod checksum lines that were removed for modules NOT being updated, and restore them in sorted order.

Fixes #14872

What are you trying to accomplish?

Anything you want to highlight for special attention from reviewers?

How will you know you've accomplished your goal?

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@github-actions github-actions Bot added the L: go:modules Golang modules label May 18, 2026
@v-HaripriyaC v-HaripriyaC requested a review from Copilot May 18, 2026 20:56
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts the Go modules updater to avoid accidentally dropping go.mod checksum entries from go.sum for modules that aren’t part of the requested update, aligning Dependabot’s output more closely with typical go mod tidy behavior.

Changes:

  • Add reconcile_go_sum to re-add removed /go.mod checksum lines for modules not being updated, then re-sort the merged go.sum.
  • Update update_files to return go_sum only when present (via Hash#compact).
  • Add specs covering restoration of an unrelated /go.mod checksum line and ensuring updated dependencies’ removed lines are not restored.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb Adds go.sum reconciliation logic and adjusts updated file return shape.
go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb Adds regression coverage for restoring unrelated /go.mod checksum lines.

Comment thread go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb Outdated
@v-HaripriyaC v-HaripriyaC force-pushed the chp/go-removes-hashes-14872 branch from 216a158 to 7e00ddf Compare May 18, 2026 21:44
@v-HaripriyaC v-HaripriyaC requested a review from Copilot May 18, 2026 23:50
Copilot AI reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb Outdated
Comment thread go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb
@v-HaripriyaC v-HaripriyaC marked this pull request as ready for review May 18, 2026 23:57
@v-HaripriyaC v-HaripriyaC requested a review from a team as a code owner May 18, 2026 23:57
@v-HaripriyaC v-HaripriyaC force-pushed the chp/go-removes-hashes-14872 branch from 0a611c6 to 4635ad8 Compare May 19, 2026 01:34
@v-HaripriyaC v-HaripriyaC requested a review from Copilot May 19, 2026 01:35
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

Comment thread go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb Outdated
@v-HaripriyaC v-HaripriyaC force-pushed the chp/go-removes-hashes-14872 branch 2 times, most recently from fbfb8a7 to 6fc36cd Compare May 19, 2026 03:04
@v-HaripriyaC v-HaripriyaC requested a review from Copilot May 19, 2026 03:06
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb Outdated
Comment thread go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb
@v-HaripriyaC v-HaripriyaC force-pushed the chp/go-removes-hashes-14872 branch 2 times, most recently from 72cbc3c to e4172a4 Compare May 19, 2026 03:31
@v-HaripriyaC v-HaripriyaC requested a review from Copilot May 19, 2026 03:32
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

Comment thread go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb Outdated
@v-HaripriyaC v-HaripriyaC force-pushed the chp/go-removes-hashes-14872 branch from e4172a4 to 2612f50 Compare May 19, 2026 03:40
@v-HaripriyaC v-HaripriyaC force-pushed the chp/go-removes-hashes-14872 branch 2 times, most recently from 384d924 to 4c871f2 Compare May 19, 2026 15:15
@v-HaripriyaC v-HaripriyaC requested a review from Copilot May 19, 2026 15:16
@v-HaripriyaC v-HaripriyaC requested a review from kbukum1 May 19, 2026 15:18
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb
Comment thread go_modules/spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb Outdated
@v-HaripriyaC v-HaripriyaC force-pushed the chp/go-removes-hashes-14872 branch from 4c871f2 to ab7430e Compare May 19, 2026 15:38
@v-HaripriyaC
fix(go_modules): preserve unrelated go.mod checksums in go.sum
29b0fb1 
When go get updates a dependency, it may remove /go.mod checksum lines
from go.sum for unrelated modules that are still in the dependency
graph. This causes noisy diffs that go mod tidy would revert.

Add reconcile_go_sum to restore missing /go.mod checksum lines when:
- The line belongs to a module not being updated
- The same module+version still has a zip hash entry in the updated file

The restore uses Dependabot::GoModules::Version for semver-aware sorting
to produce canonical go.sum ordering. When no lines need restoring, the
updated go.sum is returned unchanged to avoid unnecessary rewrites.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@v-HaripriyaC v-HaripriyaC force-pushed the chp/go-removes-hashes-14872 branch from ab7430e to 29b0fb1 Compare May 19, 2026 15:46
@v-HaripriyaC v-HaripriyaC requested a review from Copilot May 19, 2026 16:16
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@v-HaripriyaC
Copy link
Copy Markdown
Contributor Author

v-HaripriyaC commented May 19, 2026
edited
Loading

added repo to reproduce the issue with and without the fix https://github.com/dsp-testing/removes-hashOfGomod-goSum-issue/blob/chp/removes-hashOfGomod-goSum-issue/

@thavaahariharangit thavaahariharangit self-requested a review May 19, 2026 22:19
@v-HaripriyaC
Copy link
Copy Markdown
Contributor Author

v-HaripriyaC commented May 26, 2026

fixed as part of #15106

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@thavaahariharangit thavaahariharangit thavaahariharangit requested changes

@kbukum1 kbukum1 Awaiting requested review from kbukum1

Assignees

No one assigned

Labels

L: go:modules Golang modules L: python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Dependabot unexpectedly removes hash of go.mod from go.sum

3 participants

@v-HaripriyaC @thavaahariharangit