Changes to default `GOSUMDB` environment variable on the Mend Developer Platform (and what it means for private Go modules) #40041

jamietanna · 2025-12-17T10:25:35Z

jamietanna
Dec 17, 2025
Maintainer

Note

This only affects Renovate Cloud on developer.mend.io (Mend Developer Platform), and does not modify anything for users of the Renovate CLI deployed as part of any self-hosted usage.

This also does not affect any Mend Renovate Self-Hosted (Community Edition or Enterprise Edition) users.

Note

This only affects you if you are interacting with Go module dependencies. If you do not use Go modules with the Mend Developer Platform, you can disregard this.

Timeline

We decided not to follow the announcement + community feedback process, which we outlined in October, as it would've introduced increased risk of supply chain attack exposure.

If you are reading this, the change has already been made.

What's changed?

On the Mend Developer Platform, the means to authenticate Go modules' authentication was previously switched off, by setting the environment variable GOSUMDB=off globally.

As part of a change made today (2025-12-17), we have unset this variable, so it will use the defaults from the Go toolchain.

(For instance, in Go 1.25, this will set GOSUMDB=sum.golang.org)

What's the impact to me? What action(s) may I need to take?

If you use private Go module dependencies, you should see Renovate continue to detect and/or propose PR updates, but will fail with Artifact update problems:

Example "Artifact update problem" PR comment

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: github.com/JamieTanna-Mend-testing/[email protected]: verifying go.mod: github.com/JamieTanna-Mend-testing/[email protected]/go.mod: reading https://sum.golang.org/lookup/github.com/!jamie!tanna-!mend-testing/[email protected]: 404 Not Found
	server response:
	not found: github.com/JamieTanna-Mend-testing/[email protected]: invalid version: git ls-remote -q https://github.com/JamieTanna-Mend-testing/private-go-module-child in /tmp/gopath/pkg/mod/cache/vcs/6aaeda5367a564e937de70231b7b9f06a1bef19342f73c2728855eb22c8f6bb5: exit status 128:
		fatal: could not read Username for 'https://github.com': terminal prompts disabled
	Confirm the import path was entered correctly.
	If this is a private repository, see https://golang.org/doc/faq#git_https for additional information.

This happens due to the go toolchain not knowing that you have private dependencies, even though it has authentication (via Renovate's Host Rules).

You can also see this failing in the Renovate debug logs:

Full debug logs

INFO: Repository started
{
  "renovateVersion": "42.54.2"
}
...
...
...
DEBUG: Executing command (branch="renovate/github.com-jamietanna-mend-testing-private-go-module-child-digest")
{
  "command": "install-tool golang 1.25.4"
}

DEBUG: exec completed (branch="renovate/github.com-jamietanna-mend-testing-private-go-module-child-digest")
{
  "durationMs": 8509,
  "stdout": "[15:17:44.194] INFO (735): Installing tool [email protected]...\ngo version go1.25.4 linux/amd64\nAR='ar'\nCC='gcc'\nCGO_CFLAGS='-O2 -g'\nCGO_CPPFLAGS=''\nCGO_CXXFLAGS='-O2 -g'\nCGO_ENABLED='1'\nCGO_FFLAGS='-O2 -g'\nCGO_LDFLAGS='-O2 -g'\nCXX='g++'\nGCCGO='gccgo'\nGO111MODULE=''\nGOAMD64='v1'\nGOARCH='amd64'\nGOAUTH='netrc'\nGOBIN='/usr/local/bin'\nGOCACHE='/home/ubuntu/.cache/go-build'\nGOCACHEPROG=''\nGODEBUG=''\nGOENV='/home/ubuntu/.config/go/env'\nGOEXE=''\nGOEXPERIMENT=''\nGOFIPS140='off'\nGOFLAGS='-modcacherw'\nGOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3599453714=/tmp/go-build -gno-record-gcc-switches'\nGOHOSTARCH='amd64'\nGOHOSTOS='linux'\nGOINSECURE=''\nGOMOD='/tmp/renovate/repos/github/JamieTanna-Mend-testing/private-go-module-parent/go.mod'\nGOMODCACHE='/runner/cache/others/go/pkg/mod'\nGONOPROXY=''\nGONOSUMDB=''\nGOOS='linux'\nGOPATH='/runner/cache/others/go'\nGOPRIVATE=''\nGOPROXY='https://proxy.golang.org,direct'\nGOROOT='/opt/containerbase/tools/golang/1.25.4'\nGOSUMDB='sum.golang.org'\nGOTELEMETRY='local'\nGOTELEMETRYDIR='/home/ubuntu/.config/go/telemetry'\nGOTMPDIR=''\nGOTOOLCHAIN='auto'\nGOTOOLDIR='/opt/containerbase/tools/golang/1.25.4/pkg/tool/linux_amd64'\nGOVCS=''\nGOVERSION='go1.25.4'\nGOWORK=''\nPKG_CONFIG='pkg-config'\n[15:17:51.641] INFO (735): Install tool golang succeeded in 7.4s.\n",
  "stderr": ""
}

DEBUG: Executing command (branch="renovate/github.com-jamietanna-mend-testing-private-go-module-child-digest")
{
  "command": "go get -t ./..."
}

DEBUG: rawExec err (branch="renovate/github.com-jamietanna-mend-testing-private-go-module-child-digest")
{
  "err": {
    "cmd": "/bin/sh -c go get -t ./...",
    "stderr": "go: github.com/JamieTanna-Mend-testing/[email protected]: verifying go.mod: github.com/JamieTanna-Mend-testing/[email protected]/go.mod: reading https://**redacted**@v0.0.0-20251215150819-540856d5e075: 404 Not Found\n\tserver response:\n\tnot found: github.com/JamieTanna-Mend-testing/[email protected]: invalid version: git ls-remote -q https://github.com/JamieTanna-Mend-testing/private-go-module-child in /tmp/gopath/pkg/mod/cache/vcs/6aaeda5367a564e937de70231b7b9f06a1bef19342f73c2728855eb22c8f6bb5: exit status 128:\n\t\tfatal: could not read Username for 'https://github.com': terminal prompts disabled\n\tConfirm the import path was entered correctly.\n\tIf this is a private repository, see https://golang.org/doc/faq#git_https for additional information.\n",
    "stdout": "",
    "options": {
      "cwd": "/tmp/renovate/repos/github/JamieTanna-Mend-testing/private-go-module-parent",
      "encoding": "utf-8",
      "env": [
        "GOPATH",
        "GOSUMDB",
        "GOFLAGS",
        "GIT_CONFIG_KEY_0",
        "GIT_CONFIG_VALUE_0",
        "GIT_CONFIG_KEY_1",
        "GIT_CONFIG_VALUE_1",
        "GIT_CONFIG_KEY_2",
        "GIT_CONFIG_VALUE_2",
        "GIT_CONFIG_COUNT",
        "HOME",
        "PATH",
        "LC_ALL",
        "LANG",
        "CONTAINERBASE_CACHE_DIR"
      ],
      "maxBuffer": 10485760,
      "timeout": 900000
    },
    "exitCode": 1,
    "name": "ExecError",
    "message": "Command failed: go get -t ./...\ngo: github.com/JamieTanna-Mend-testing/[email protected]: verifying go.mod: github.com/JamieTanna-Mend-testing/[email protected]/go.mod: reading https://**redacted**@v0.0.0-20251215150819-540856d5e075: 404 Not Found\n\tserver response:\n\tnot found: github.com/JamieTanna-Mend-testing/[email protected]: invalid version: git ls-remote -q https://github.com/JamieTanna-Mend-testing/private-go-module-child in /tmp/gopath/pkg/mod/cache/vcs/6aaeda5367a564e937de70231b7b9f06a1bef19342f73c2728855eb22c8f6bb5: exit status 128:\n\t\tfatal: could not read Username for 'https://github.com': terminal prompts disabled\n\tConfirm the import path was entered correctly.\n\tIf this is a private repository, see https://golang.org/doc/faq#git_https for additional information.\n",
    "stack": "ExecError: Command failed: go get -t ./...\ngo: github.com/JamieTanna-Mend-testing/[email protected]: verifying go.mod: github.com/JamieTanna-Mend-testing/[email protected]/go.mod: reading https://**redacted**@v0.0.0-20251215150819-540856d5e075: 404 Not Found\n\tserver response:\n\tnot found: github.com/JamieTanna-Mend-testing/[email protected]: invalid version: git ls-remote -q https://github.com/JamieTanna-Mend-testing/private-go-module-child in /tmp/gopath/pkg/mod/cache/vcs/6aaeda5367a564e937de70231b7b9f06a1bef19342f73c2728855eb22c8f6bb5: exit status 128:\n\t\tfatal: could not read Username for 'https://github.com': terminal prompts disabled\n\tConfirm the import path was entered correctly.\n\tIf this is a private repository, see https://golang.org/doc/faq#git_https for additional information.\n\n    at ChildProcess.<anonymous> (/usr/local/renovate/lib/util/exec/common.ts:120:11)\n    at ChildProcess.emit (node:events:520:35)\n    at ChildProcess.emit (node:domain:489:12)\n    at Process.ChildProcess._handle.onexit (node:internal/child_process:294:12)"
  },
  "durationMs": 717
}

DEBUG: Failed to update go.sum (branch="renovate/github.com-jamietanna-mend-testing-private-go-module-child-digest")
{
  "err": {
    "cmd": "/bin/sh -c go get -t ./...",
    "stderr": "go: github.com/JamieTanna-Mend-testing/[email protected]: verifying go.mod: github.com/JamieTanna-Mend-testing/[email protected]/go.mod: reading https://**redacted**@v0.0.0-20251215150819-540856d5e075: 404 Not Found\n\tserver response:\n\tnot found: github.com/JamieTanna-Mend-testing/[email protected]: invalid version: git ls-remote -q https://github.com/JamieTanna-Mend-testing/private-go-module-child in /tmp/gopath/pkg/mod/cache/vcs/6aaeda5367a564e937de70231b7b9f06a1bef19342f73c2728855eb22c8f6bb5: exit status 128:\n\t\tfatal: could not read Username for 'https://github.com': terminal prompts disabled\n\tConfirm the import path was entered correctly.\n\tIf this is a private repository, see https://golang.org/doc/faq#git_https for additional information.\n",
    "stdout": "",
    "options": {
      "cwd": "/tmp/renovate/repos/github/JamieTanna-Mend-testing/private-go-module-parent",
      "encoding": "utf-8",
      "env": [
        "GOPATH",
        "GOSUMDB",
        "GOFLAGS",
        "GIT_CONFIG_KEY_0",
        "GIT_CONFIG_VALUE_0",
        "GIT_CONFIG_KEY_1",
        "GIT_CONFIG_VALUE_1",
        "GIT_CONFIG_KEY_2",
        "GIT_CONFIG_VALUE_2",
        "GIT_CONFIG_COUNT",
        "HOME",
        "PATH",
        "LC_ALL",
        "LANG",
        "CONTAINERBASE_CACHE_DIR"
      ],
      "maxBuffer": 10485760,
      "timeout": 900000
    },
    "exitCode": 1,
    "name": "ExecError",
    "message": "Command failed: go get -t ./...\ngo: github.com/JamieTanna-Mend-testing/[email protected]: verifying go.mod: github.com/JamieTanna-Mend-testing/[email protected]/go.mod: reading https://**redacted**@v0.0.0-20251215150819-540856d5e075: 404 Not Found\n\tserver response:\n\tnot found: github.com/JamieTanna-Mend-testing/[email protected]: invalid version: git ls-remote -q https://github.com/JamieTanna-Mend-testing/private-go-module-child in /tmp/gopath/pkg/mod/cache/vcs/6aaeda5367a564e937de70231b7b9f06a1bef19342f73c2728855eb22c8f6bb5: exit status 128:\n\t\tfatal: could not read Username for 'https://github.com': terminal prompts disabled\n\tConfirm the import path was entered correctly.\n\tIf this is a private repository, see https://golang.org/doc/faq#git_https for additional information.\n",
    "stack": "ExecError: Command failed: go get -t ./...\ngo: github.com/JamieTanna-Mend-testing/[email protected]: verifying go.mod: github.com/JamieTanna-Mend-testing/[email protected]/go.mod: reading https://**redacted**@v0.0.0-20251215150819-540856d5e075: 404 Not Found\n\tserver response:\n\tnot found: github.com/JamieTanna-Mend-testing/[email protected]: invalid version: git ls-remote -q https://github.com/JamieTanna-Mend-testing/private-go-module-child in /tmp/gopath/pkg/mod/cache/vcs/6aaeda5367a564e937de70231b7b9f06a1bef19342f73c2728855eb22c8f6bb5: exit status 128:\n\t\tfatal: could not read Username for 'https://github.com': terminal prompts disabled\n\tConfirm the import path was entered correctly.\n\tIf this is a private repository, see https://golang.org/doc/faq#git_https for additional information.\n\n    at ChildProcess.<anonymous> (/usr/local/renovate/lib/util/exec/common.ts:120:11)\n    at ChildProcess.emit (node:events:520:35)\n    at ChildProcess.emit (node:domain:489:12)\n    at Process.ChildProcess._handle.onexit (node:internal/child_process:294:12)"
  }
}

Recommended action (for Community/free users)

Follow the Go documentation on authenticating to private Go modules.

For instance, if you have predominantly (or all) private Go modules from github.com/JamieTanna-Mend-testing, you could set GOPRIVATE=github.com/JamieTanna-Mend-testing/*.

Follow the best practices guidance in the ecosystem when setting GOPRIVATE and GONOSUMDB to ensure that you're not over-including module names (in case you have public modules that get included by GOPRIVATE, which will mean that the Go Checksum database isn't being checked for any of those public packages).

It is possible to set the GOPRIVATE and GONOSUMDB in the env repo config, as Mend have allowlisted GO* environment variables to be set.

For instance:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "env": {
    "GOPRIVATE": "github.com/JamieTanna-Mend-testing/*"
  }
}

As these are repo-level config options, you can also specify this in your Inherited Config, or in any shared config presets.

There are also discussions internally at Mend around adding a UI setting to set "environment variables" (for non-secret values), which will allow for providing these in a more "ClickOps" fashion.

Recommended action (for Enterprise customers)

We have worked with Enterprise customers and prepared a GOPRIVATE override for their repos, based on the private Go modules that we know they are using.

The GOPRIVATE variable has been set on the organization level's Secrets, as an environment variable that is exposed to the Renovate CLI.

Why was it set to `GOSUMDB=off`?

As part of looking into correcting this setting, we first needed to investigate why this had happened, so we could understand whether there was some context that was missing.

Before Renovate 38, Containerbase (which the Renovate Docker image is built on top of) would set GOSUMDB=off as part of its base configuration, and so when Renovate would execute the go toolchain, this would disable Go module checksum verification, allowing private module authentication to work.

However, we knew this to be insecure (and a key protection Go has against supply chain attacks), and so in Renovate 38 (2024-07-25), we removed this via a change in Containerbase, which we then merged in as part of the Renovate release.

We found that while investigating Go module failures with private authentication after Renovate 38's release, both self-hosted and hosted users saw issues with updating private Go modules.

While we worked to provide a solution for the hosted users (working with self-hosted users to confirm the relevant changes needed), we set GOSUMDB=off on the Mend Developer Platform as a temporary workaround.

As with many great "temporary workarounds", we didn't end up coming back to fix it fully - until now.

Why was the change made to revert `GOSUMDB` to the default values?

We (Mend) changed this setting as part of ongoing efforts to ensure that the Open Source Mend Renovate CLI and the Mend-hosted Renovate Cloud are secure-by-default.

As part of this, leaving the primary means for Go module integrity disabled and unenforced, for the benefit of a subset of users using private Go modules, was not an acceptable trade-off for the wide ecosystem of users who rely on our platform.

We appreciate that this may lead to some breakage of private Go modules, and as seen above, have suggested steps to take as a one-time migration.

What was the impact of us not making this change?

Given proximity to the winter break for a lot of folks around the world, we wanted to make the change now instead of waiting until the new year.

Considering the attack vector that this could lead to, we did not want to leave this in place any longer than it already has been.

Note that even if an attack like this could have occurred, and Renovate raised PRs that had a mismatched checksum in the go.sum, a repository's CI/CD executing subcommands in the go toolchain i.e. go test or go mod tidy would have flagged this as an issue. Regardless, moving to more secure defaults is the best choice here.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Changes to default `GOSUMDB` environment variable on the Mend Developer Platform (and what it means for private Go modules) #40041

Uh oh!

{{title}}

Uh oh!

⚠️ Artifact update problem

File name: go.sum

Replies: 0 comments

Select a reply

Uh oh!

Changes to default GOSUMDB environment variable on the Mend Developer Platform (and what it means for private Go modules) #40041

Uh oh!

jamietanna Dec 17, 2025 Maintainer

Timeline

What's changed?

What's the impact to me? What action(s) may I need to take?

⚠️ Artifact update problem

File name: go.sum

Recommended action (for Community/free users)

Recommended action (for Enterprise customers)

Why was it set to GOSUMDB=off?

Why was the change made to revert GOSUMDB to the default values?

What was the impact of us not making this change?

Replies: 0 comments

Changes to default `GOSUMDB` environment variable on the Mend Developer Platform (and what it means for private Go modules) #40041

jamietanna
Dec 17, 2025
Maintainer

Why was it set to `GOSUMDB=off`?

Why was the change made to revert `GOSUMDB` to the default values?