A package appearing in go.sum does not necessarily mean it's being used. It just means it has been downloaded once, but might have been replaced by some other version at some point.
This has bitten me before. A security scanner reported a vulnerability from this that was blocking me from my “use X at work” request.
I ended up having to teach the vendor of the tool about go mod.
But if you are publishing a “release” I personally think it is good to tidy that up. Even just to prevent misconceptions. No reason to preserve ancient versions and especially failed library experiments.
I ended up having to teach the vendor of the tool about go mod.
But if you are publishing a “release” I personally think it is good to tidy that up. Even just to prevent misconceptions. No reason to preserve ancient versions and especially failed library experiments.