cmd/go: go mod should not auto update dependencies in version 0.x.y

[cch123]

What version of Go are you using (go version)?

go version go1.13.9 darwin/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output

GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/xargin/Library/Caches/go-build"
GOENV="/Users/xargin/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/xargin/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/sw/j70z06s92rj_wwv71lvt3vhm0000gp/T/go-build841600596=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Our app depends on a library A ver 0.6.9, and someday we import another lib, whose subpackage has 0.8.0 version info for this library A, but we don't directly depends on this subpackage. Go mod still "helps" us to update A to 0.8.0 and build fails.

According to semver spec:

Major version zero (0.y.z) is for initial development. Anything MAY change at any time. The public API SHOULD NOT be considered stable.

Auto-update library 0.x.y will cause the user's build to fail. go mod should consider not update the lib's version in such situation

What did you expect to see?

go mod didn't update the lib's versoin.

What did you see instead?

the lib A ver 0.6.9 was auto-updated to 0.8.0

[andybons]

@jayconrod @bcmills @matloob

[bcmills]

Duplicate of #28692