Package manager/ecosystem
go_modules
Manifest contents prior to update
github.com/buger/jsonparser v1.0.0
Updated dependency
github.com/buger/jsonparser v1.1.1
What you expected to see, versus what you actually saw
Above package is just an example, it happens with any update. We have the following replace line in our go.mod file:

replace github.com/dghubble/oauth1 => github.com/klippa-app/oauth1 v0.0.0-20190731095211-0d6b37cb52ba`

While this replacing is very valid and these packages can both be fetched from Github, Dependabot decides that this go.mod can't be vendored, so in the resulting MR it only updated the go.mod, making the go.sum and vendor folder invalid.

It looks like it's caused by this line:
https://github.com/dependabot/dependabot-core/blob/main/go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb#L97

If there's any line that starts with replace it's not going to vendor it?

Images of the diff or a link to the PR, issue or logs
It looks like these are a little related:
#1193
#1172

Edit: just tested this in a project without a replace directive, it does edit the go.sum in that case, but it still does not update the vendor folder. Created a separate issue for that: #3380