This file contains the crypto checksums representing the content of the required packages in go.mod.
It serves 2 purposes:
you can run the go mod verify command to check that the checksums of the downloaded packages on your machine match the entries in go.sum, so you can be confident that they haven’t been altered
if someone else needs to download all the deps for the project (go mod download), they will get an error if there is any mismatch between the deps they are downloading and the checksums in the file
Run go get with the u flag to upgrade to the latest minor or patch release.
$ go get -u github.com/foo/bar
Or upgrade to a specific version with:
$ go get -u email@example.com
Remove unused packages
Run go get with the postfix @none.
$ go get github.com/foo/bar@none
Or if all refs to the package have been removed run:
$ go mod tidy -v
to automatically remove all unused packages from go.mod and go.sum.