The Go team is providing the following services run by Google: a module mirror for accelerating Go module downloads, an index for discovering new modules, and a global go.sum database for authenticating module content.
Since Go 1.13, the go command by default downloads and authenticates modules using the Go module mirror and Go checksum database. See proxy.golang.org/privacy for privacy information about these services and the go command documentation for configuration details including how to disable the use of these servers or use different ones. If you depend on non-public modules, see the documentation for configuring your environment.
proxy.golang.org - a module mirror
which implements the module proxy protocol.
For users downloading large numbers of modules (e.g. for bulk static analysis), the mirror
supports a non-standard header,
Disable-Module-Fetch: true that instructs it to
return only cached content. This will avoid slow downloads, at the cost of possibly missing some
sum.golang.org - an auditable checksum database which will be used by the go command to authenticate modules. Learn more in the go command documentation.
index.golang.org - an index which serves a feed of new module versions that become available by proxy.golang.org. The feed can be viewed at https://index.golang.org/index. The feed is served as new line delimited JSON, providing the module path (as Path), the module version (as Version), and the time it was first cached by proxy.golang.org (as Timestamp). The list is sorted in chronological order. There are two optional parameters:
Disable-Module-Fetchheader, described above.
These services are ready for production use. Please file issues if you spot them, with the title prefix "proxy.golang.org:" (or "index.golang.org:", or "sum.golang.org:").
These services can only access publicly available source code. If you depend on private
GOPRIVATE to a glob pattern that covers them. See
Module configuration for non-public modules
in the go command documentation for more details.
To opt-out of this module mirror, you can turn it off by setting
See the go command documentation for other configuration details.
go get -uor
go list -m --versions?
In order to improve our services' caching and serving latencies, new versions may not show up
right away. If you want new code to be immediately available in the mirror, then first make sure
there is a semantically versioned tag for this revision in the underlying source repository.
Then explicitly request that version via
go get module@version. The new version
should be available within one minute. Note that if someone requested the version before the tag
was pushed, it may take up to 30 minutes for the mirror's cache to expire and fresh data about
the version to become available. If the version is still not available after 30 minutes, please
file an issue.
Whenever possible, the mirror aims to cache content in order to avoid breaking builds for people that depend on your package, so this bad release may still be available in the mirror even if it is not available at the origin. The same situation applies if you delete your entire repository. We suggest creating a new version and encouraging people to use that one instead.
If you would like to hide versions of a module from the
command, as well as pkg.go.dev, you should retract them.
Retracting a module version involves adding a retract directive
to your go.mod file and publishing a new version. See the Go blog post
New module changes in Go 1.16 and
the modules reference for details.
The go command documentation describes the configuration details including how to disable the use of these servers or use different ones.
GOPRIVATEand request a private module from these services, what leaks?
proxy.golang.org does not save all modules forever. There are a number of reasons for this, but one reason is if proxy.golang.org is not able to detect a suitable license. In this case, only a temporarily cached copy of the module will be made available, and may become unavailable if it is removed from the original source and becomes outdated. The checksums will still remain in the checksum database regardless of whether or not they have become unavailable in the mirror.
Following the security policy, send an email to email@example.com with the word "vulnerability" in the message somewhere.