Skip to content

fix(gomod): pseudo-version digest updates produce no change when module is absent from go proxy #44455

Description

@RahulGautamSingh

Discussed in #44449

Originally posted by Maydaer July 9, 2026

How are you running Renovate?

Self-hosted Renovate CLI

Which platform you running Renovate on?

GitHub Enterprise Server

Which version of Renovate are you using?

43.252.1

Please tell us more about your question or problem

Description

Since Renovate version 43.167.0 (which includes PR #41588), digest updates for Go modules with pseudo-versions no longer produce file changes, if the repository is unavailable in the goproxy (for example repos on github enterprise instances, private repositories, etc).
The update process detects a newer commit, but only for newDigest.
The lookup for the new commit on proxy.golang.org fails, which causes upgrade.newValue in gomod.update to be equal to the current (old) value.

However, since current value is a pseudo-version, the version starts with v0.0.0-and gomod.update goes into the new code path

      if (upgrade.newValue?.startsWith('v0.0.0-')) {

added by the above PR, but since newVersion is the old version, no file changes occur.

Before the above PR, the gomod.update would have gone into the defensive fallback path. It replaces the version in the go.mod by newDigest and have go get find the corresponding pseudo version.

Reproducing the issue

Repo A has a dependency to private repo B, to which renovate has access, but goproxy does not.
Repo B should have pseudo-versioning such as

example.enterprise.com/org/my-module v0.0.0-20200101084118-1111111111111",

Merge something to main of repo B, which produces e.g. digest ffffffffff.
Renovate will be able to find the new digest ffffffffffff to determine a new version is available, but the actual renovate run to create the update PR will not open the PR due to "DEBUG: No changes necessary"

Possible fix

Ensure we get to the defensive fallback path, if newValue has not changed, by replacing

      if (upgrade.newValue?.startsWith('v0.0.0-')) {

with

      if (upgrade.newValue?.startsWith('v0.0.0-')) && upgrade.newValue !== upgrade.currentValue {

Logs (if relevant)

Logs
DEBUG: Fetching example.enterprise.com/org/my-module via GONOPROXY match
DEBUG: Go module: example.enterprise.com/org/my-module lookup import url https://example.enterprise.com/org/my-module.git
 INFO: Found no results from datasource that look like a version
       "result": {"sourceUrl": "https://example.enterprise.com/org/my-module", "releases": []}
DEBUG: Found no satisfying versions with 'loose' versioning
DEBUG: http cache: saving https://example.enterprise.com/api/v3/repos/org/my-module/commits?per_page=1
(...)
DEBUG: gomod.updateDependency: v0.0.0-20200101084118-1111111111111
DEBUG: gomod: updating pseudo-version digest
       { "depName": "example.enterprise.com/org/my-module",
         "lineToChange": "\texample.enterprise.com/org/my-module v0.0.0-20200101084118-1111111111111",
         "newValue": "v0.0.0-20200101084118-1111111111111" }
DEBUG: No changes necessary
DEBUG: No package files need updating
DEBUG: No updated lock files in branch
DEBUG: No changes to package files, skipping post-upgrade tasks
DEBUG: No files to commit

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    Priority

    Medium

    Regression introduced in

    None yet

    Datasource

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions