Description
As of Go 1.16, all go mod subcommands can update go.mod and go.sum. Some commands are intended to update these files, and that shouldn't change. However, most commands may still perform an automatic update, which may be surprising. Internally, go mod subcommands run in -mod=mod mode, even though they don't have a -mod command line flag.
For some commands, updating go.mod and go.sum is expected:
go mod editis supposed to editgo.mod.go mod initcreatesgo.modand may import information from another dependency management tool.go mod tidyis supposed to editgo.modandgo.sum.
For other commands, updating go.mod or go.sum may be quite unexpected. The go command should report an error if go.mod or go.sum need to be updated.
go mod graphis a query tool. It shouldn't have side effects.go mod vendoris expected to updatevendorbut notgo.mod.go mod verifyalso shouldn't have side effects.go mod why, same deal.
go mod download occupies an awkward middle ground. It has always been able to update go.mod (probably should not), but it may also add sums of modules in the build list to go.sum. This is usually unexpected and undesired when go mod download is invoked without arguments: users want something like go list all that populates the module cache with modules needed to build packages in the main module, not including unused dependencies of dependencies. However, we shouldn't entirely prevent go mod download from updating go.sum, since it's the best way to add a specific sum for a necessary but unused module (for disambiguating an imported package).
I'd suggest the following change in behavior for go mod download:
go mod downloadalways loads the build list and reports an error ifgo.modneeds to be updated instead of updating it automatically.go mod downloadonly adds a hash togo.sumif the corresponding module is explicitly named on the command line (not simply matched byallor a wildcard or implied by a lack of arguments) without an explicit version or at the version in the build list.