Dependency Management in Go
a deep dive into dep

Carolyn Van Slyck

Gopher working hard to move packages/boxes
Gophers by Ashley McNamara

Why Dependency Management?

go no need dependency management!

I have regrets

Manifest - Gopkg.toml

  name = ""
	source = ""
  version = "0.8.0"

  branch = "master"
	name = ""

maintained by you

Lock - Gopkg.lock

  name = ""
  revision = "ff2948a2ac8f538c4ecd55962e919d1e13e74baf"
  version = "v0.8.1"

  name = ""
  revision = "17b591df37844cde689f4d5813e5cea0927d8dd2"
  version = "v0.7.1"

maintained by dep


What the what? Why v0.8.1 instead of 0.8.0? Where did master go? 🤔

They are more what you'd call "guidelines"...

dep prefers ranges over specific versions

1.2.3 becomes >=1.2.3, <2.0.0
0.2.3 becomes >=0.2.3, <0.3.0
0.0.3 becomes >=0.0.3, <0.1.0


Use =0.8.1 to pin to a version

Vendor Directory

Owned by dep
No files are safe from its tyranny!


Check it in for a smug sense of superiority

dep init

Doing probably the right thing since that PR the other week

You are making a fresh start

dep init

  1. Identifies your dependencies.
  2. Checks if your dependencies use dep.
  3. Picks the highest compatible version for each dependency.

You are already using another dependency manager

dep init

  1. Imports your existing configuration.
  2. Checks if your dependencies use dep.
  3. Falls back to the simple case to fill in gaps.

Your GOPATH isn't a steaming 💩

dep init -gopath

  1. Uses the branch/version/revision found in GOPATH.
  2. Checks if your dependencies use dep.
  3. Falls back to the simple case to fill in gaps.

Your dependencies are already vendored

dep init

  1. Makes a backup of vendor and takes over.
  2. Generates an initial set of configuration files.
    These do not match your original vendor!
  3. Leaves it up to you to fix them by hand... Sorry.

shrugging my little pony

dep ensure

  • Run on fresh clones if you don't check-in vendor
  • Run after modifying your manifest

dep status

PROJECT                             CONSTRAINT     VERSION        REVISION  LATEST       branch 2.x     branch 2.x     139cc09   c2e7f6c          ^1.11.0        v1.11.1        3084677   3084677           *              branch master  4239b77   4239b77

How do I add a dependency?

  1. Add an import statement.
  2. Run dep ensure.

How do I update a dependency?

dep ensure -update -n

dep ensure -update
dep ensure -update
dep ensure -update

How do I remove a dependency?

  1. Stop using it in your code.
  2. Run dep ensure.
  3. If it was in your manifest, you may remove it.

How do I test uncommitted changes to a dependency?

  1. Delete it from the vendor directory.
  2. Avoid running dep ensure for a wee bit.
  3. Make your changes to the project in your GOPATH.

The Floor is Lava

  • 🤞 The config file format is stable.
  • 🎉 dep init is ready for you to try out!
  • 🚧 dep ensure has big changes fermenting in a PR.

Fun problems yet to be solved

  • Enterprise / Private Repositories
  • os, arch and build tags
  • Local repositories
  • Long-term support for other tools


Thank you