MongoDB Go Driver 1.13.0 Released

The MongoDB Go Driver Team is pleased to release version 1.13.0 of the MongoDB Go Driver.

This release enhances logging, search index management, and command events. This release also introduces smarter server selection for sharded clusters, optimizing retry selection. Additionally, we streamline resource usage on FaaS platforms by disabling streaming SDAM and introduce the serverMonitoringMode=stream/poll/auto URI option. For more information please see the 1.13.0 release notes.

You can obtain the driver source from GitHub under the v1.13.0 tag.

Documentation for the Go driver can be found on and the MongoDB documentation site. BSON library documentation is also available on Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver project in the MongoDB JIRA where a list of current issues can be found. Your feedback on the Go driver is greatly appreciated!

Thank you,
The Go Driver Team


anyone else getting this:

$ go get
go: downloading v1.13.0
go: verifying module: checksum mismatch
	downloaded: h1:c+OsvIAc3LCdc9dcfowGjT2bWjvLOccxhdguqHJUvbo= h1:67DgFFjYOCMWdtTEmKFpV3ffWlFnh+CYZ8ZS/tXWUfY=

This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.


Hi @Aviv_Carmi . I am not getting this locally, which version of Go are you using?

Are you still getting these security errors after trying this solution: Go modules: checksum mismatch - Stack Overflow ?

@Preston_Vasquez thanks for the reply.
I’m running into some voodoo stuff…
In my company we use,direct to be able to pull private repositories from github. When I ran GOPROXY= go get it did finish successfully, then when I ran go get again it succeeded again. Not sure how go mod works internally that explains this behavior and which checksum cache caused the problem in the first place.

To your question, I tried this exact stackoverflow answer, cleaned up local cache and still ran into this problem. I also asked several peers and they all reported the same thing. This is why I posted here but since no one else reports the same thing for almost a week, I think it might be related to our GOPROXY and GOPRIVATE overrides. I’ll try further investigating in relevant go mod related places.

@Aviv_Carmi @Preston_Vasquez I am also facing the same issue. Apparently, the checksum with 1.13.0 version is messed up. In the releases i see that version 1.12.2 was released after the 1.13.0 perhaps contributing to the checksum issues we are facing. I have reverted back to the older version to fix my issue. Please have a look at it, doesn’t seem to be an issue only with GOPROXY and GOPRIVATE overrides.

You should be able to reliably reproduce this issue like this:

$ go clean -modcache
$ GOPROXY=direct go mod download -x

The v1.13.0 tag seems to have been “moved”, and just happens to have seen the first attempt.
The snippet above downloads the current (presumably retagged) content, but compares it to the checksum in (which is the old one). So ⇒ :boom:
You can also compare the contents of the repo at the current v1.13.0 to the zip downloaded from and verify that they indeed do differ.

@Preston_Vasquez we probably need a minor tag to fix this.

6 days later, this is still an issue

The data for v1.13.0 on doesn’t match the VCS tag. We plan to retract v1.13.0 and release v1.13.1 next Tuesday, possibly sooner. We are aware of the impact and apologize for the inconvenience. In the meantime, please use v1.12.2 instead.

v1.13.1 has been released and v1.13.0 is retracted.

We discovered that the v1.13.0 Github tag was modified due to a bug in our release scripts, which is what lead to the security error when downloading the Go module. The original tag does not include all changes intended for v1.13.0 and should not be used. Please use version 1.13.1 or higher.

Thank you for your patience and we apologize for any problems this created!

– The Go Driver Team

1 Like

This topic was automatically closed after 90 days. New replies are no longer allowed.