Backward compatibility of "go mod vendor"?

[Davis Goodin]

I noticed today that taking the Go 1.22.6 source tree and running "go1.22.6 mod vendor" and "go1.23.0 mod vendor" give me different results. (Vendoring using go1.23.0 adds golang.org/x/crypto/sha3.)

I've been working under the assumption that backward compatibility promises would extend to "go mod vendor". This way, developers using 1.23.x and 1.22.x won't have thrashing changes when working on the same module.

Did I pick up a bad assumption? Or is this a bug?

(Or is the standard library module special?)

[Ian Lance Taylor]

This looks like a bug. Can you file it at https://go.dev/issue? Thanks.

Ian

[Davis Goodin]

Done, thanks:  cmd/go: running `go1.23.0 mod vendor` on go1.22.6 source unexpectedly vendors `golang.org/x/crypto/sha3` · Issue #69235 · golang/go (github.com)