alt Hacker NewsActually with Go modules you are always pinning dependencies. What’s in your go.mod is what is used. If your go.mod needs to be updated because a dependency wants to bring in a newer version of a transient dependency, the go.mod has to be modified (by the go command, not by you)
I don't think you understand the term "pinning"
go mod tidy will update your go modules whenever it feels it needs to and there's nothing you can do to stop it.
The workaround is vendoring, where you control the versions in a cache.