Dependency Management in Go
a deep dive into dep

Carolyn Van Slyck

Gopher working hard to move packages/boxes
Gophers by Ashley McNamara

http://carolynvs.com/dep-deep-dive

Why Dependency Management?

go no need dependency management!

I have regrets

xkcd.com/927

Manifest - Gopkg.toml


[[constraint]]
  name = "github.com/sdboyer/deptest"
	source = "http://github.com/carolynvs/deptest"
  version = "0.8.0"

[[constraint]]
  branch = "master"
	name = "github.com/pkg/errors"

maintained by you

Lock - Gopkg.lock


[[projects]]
  name = "github.com/sdboyer/deptest"
  revision = "ff2948a2ac8f538c4ecd55962e919d1e13e74baf"
  version = "v0.8.1"

[[projects]]
  name = "github.com/pkg/errors"
  revision = "17b591df37844cde689f4d5813e5cea0927d8dd2"
  version = "v0.7.1"

maintained by dep

 

What the what? Why v0.8.1 instead of 0.8.0? Where did master go? 🤔

They are more what you'd call "guidelines"...

dep prefers ranges over specific versions

1.2.3 becomes >=1.2.3, <2.0.0
0.2.3 becomes >=0.2.3, <0.3.0
0.0.3 becomes >=0.0.3, <0.1.0

 

Use =0.8.1 to pin to a version

Vendor Directory

Owned by dep
No files are safe from its tyranny!

 

Check it in for a smug sense of superiority

dep init

Doing probably the right thing since that PR the other week

You are making a fresh start

dep init

  1. Identifies your dependencies.
  2. Checks if your dependencies use dep.
  3. Picks the highest compatible version for each dependency.

You are already using another dependency manager

dep init

  1. Imports your existing configuration.
  2. Checks if your dependencies use dep.
  3. Falls back to the simple case to fill in gaps.

Your GOPATH isn't a steaming 💩

dep init -gopath

  1. Uses the branch/version/revision found in GOPATH.
  2. Checks if your dependencies use dep.
  3. Falls back to the simple case to fill in gaps.

Your dependencies are already vendored

dep init

  1. Makes a backup of vendor and takes over.
  2. Generates an initial set of configuration files.
    These do not match your original vendor!
  3. Leaves it up to you to fix them by hand... Sorry.

shrugging my little pony

dep ensure

  • Run on fresh clones if you don't check-in vendor
  • Run after modifying your manifest

dep status


PROJECT                             CONSTRAINT     VERSION        REVISION  LATEST
github.com/Masterminds/semver       branch 2.x     branch 2.x     139cc09   c2e7f6c
github.com/Masterminds/vcs          ^1.11.0        v1.11.1        3084677   3084677
github.com/armon/go-radix           *              branch master  4239b77   4239b77

How do I add a dependency?

  1. Add an import statement.
  2. Run dep ensure.

How do I update a dependency?

dep ensure -update -n

dep ensure -update
dep ensure -update github.com/carolynvs/loves-ponies
dep ensure -update github.com/carolynvs/loves-ponies@v2.0.1

How do I remove a dependency?

  1. Stop using it in your code.
  2. Run dep ensure.
  3. If it was in your manifest, you may remove it.

How do I test uncommitted changes to a dependency?

  1. Delete it from the vendor directory.
  2. Avoid running dep ensure for a wee bit.
  3. Make your changes to the project in your GOPATH.

The Floor is Lava

  • 🤞 The config file format is stable.
  • 🎉 dep init is ready for you to try out!
  • 🚧 dep ensure has big changes fermenting in a PR.

Fun problems yet to be solved

  • Enterprise / Private Repositories
  • os, arch and build tags
  • Local repositories
  • Long-term support for other tools

Resources

Thank you

@carolynvs

http://carolynvs.com/dep-deep-dive