This by the way feels like a requirement of #27227, but I think that even if using vendor/ is not the default, its presence suggests it's an option, so it shouldn't be broken.

An out of date vendor/ folder feels like an entirely inconsistent and confusing state to be in, causing builds to unexpectedly fail only for certain users, with no advantages,

Conversely, one of the most consistent use-cases I have heard for the vendor directory is as a place to experiment with patches to dependencies.

We clearly do need to be able to verify the consistency of the vendor directory (see also #27348), especially as a pre-commit hook, and go release should ensure that vendor is up-to-date (#26420 (comment)), but I don't think we can reasonably update it without any intervention at all.

I feel like the fact that vendor/ is used to experiment with patches to dependencies makes it even worse for it to be inconsistent: a dev will be running builds in modules mode (or this issue does not apply) with patches in vendor/, and they will silently not work, while they did for someone else who was running in GOPATH mode. At least if they get rewritten it will be clear what's happening.

I agree that existing packages should not be modified when using -mod=vendor, because then they are authoritative in themselves. (But new ones should be added as needed.) If vendor is being used to experiment with patches to dependencies, -mod=vendor should (and probably will) be used anyway.

(I am very skeptical of the adoption of pre-commit hooks.)

If vendor is being used to experiment with patches to dependencies, -mod=vendor should (and probably will) be used anyway.

Ideally I would like the -mod=vendor flag to go away entirely. (The vendor directory should behave more like a set of implicit replace statements than a separate build mode.)

(The vendor directory should behave more like a set of implicit replace statements than a separate build mode.)

+1 on that. (Which I guess is a solution to #27227?) In that case it's even more natural to update vendor/ to reflect the build, because all existing packages stay as they are, and missing ones are filled in, providing backwards compatibility.

Given #27227, it's not clear to me when we would update the vendor directory at all. Perhaps during go get if the previous contents were still clean?

That seems pretty subtle, though.

Is the use case of vendor/ as backwards compatibility for GOPATH mode not a supported goal?

Also, a lot of the community support for vendor/ was not as implicit replaces but to guarantee self-contained builds, and if it's not kept up to date that goal is defeated.

Personally I never liked using vendor/ patches as it's subtle and implicit, and I don't think it's something we should be encouraging.

Ideally I would like the -mod=vendor flag to go away entirely. (The vendor directory should behave more like a set of implicit replace statements than a separate build mode.)

@bcmills I completely disagree with this and think this is a really bad idea. This may be ok for Google's workflow but would break lots of other company's.

The vendor folder is currently the only way to guarantee reproducible builds on all machines even if offline. Also, if you remove it, how are you going to tackle the problem of remote dependencies disappearing from the internet? These problems need addressing before any talk on removing the vendor folder.

@nomad-software I said I want to remove the flag, not the vendor directory. If we use vendor by default, then we don't need an explicit flag to enable it.

@bcmills Ok, I misunderstood but that still raises the question how do we build against the download cache or the vendor folder? That flag is really handy. You shouldn't just remove it without a really good reason or an alternative to achieve the functionality of what we enjoy now.

Given #27227, it's not clear to me when we would update the vendor directory at all. Perhaps during go get if the previous contents were still clean?

Older dependency management programs (govendor, go dep, glide, etc) all overwrote the vendor directory unconditionally. This didn't prevent people from using it to experiment with changes to dependencies. Modules are a bit different because dependencies are updated implicitly as part of the build process, however I think that this simple rule: "if go.mod is changed run go mod vendor", would satisfy everyone. It would keep the vendor directory up to date with go.mod and let people make changes inside vendor.

I've been looking into the details for #27227, and I tend to agree that it will make this proposal necessary as well.

#33848 explicitly checks for consistency.

For the reasons described in #30240 (comment), we should not update the vendor directory automatically.

Closing in favor of #33848.