Skip to content

3-deps.md

Latest commit

 

History

History
78 lines (52 loc) · 3.05 KB

3-deps.md

File metadata and controls

78 lines (52 loc) · 3.05 KB

Managing third party dependencies

The Go community found out that the best way to manage dependencies was by vendoring them.

To vendor a dependency means that the code of that package we depend on is copied into our workspace and stored as part of our project.

This has some advantages such as the fact that if a dependency disappears from their original repo our code still compiles and it's easier to have actually repeatable builds. But there are some disadvantages too, mainly based on the fact that updating to a new version requires more than just modifying a number in a configuration file.

The Go community has created many of these tools over time, and even though they're worth reading about we will not cover them during this workshop. You can see a list with most of them in the Go wiki.

I also recommend reading The Saga of Go Dependency Management for a better understanding of the current state.

The tool that we will use for this workshop is the newest one: dep. This tool is the result of months of work by the Dependency Management Working Group.

Using dep

The dep tool will manage dependencies in the vendor directory. It has a very small number of features by design, keeping it as simple as possible to enable more.

To install dep simply run:

$ go get -u github.com/golang/dep/cmd/dep

You can now run dep from inside a package in your GOPATH to vendor all its dependencies by running:

$ dep init
$ dep ensure

To update a dependency to a new version, you might update Gopkg.toml and run:

$ dep ensure

Exercise: managing dependencies

Install dep and run dep init from hello-vendor.

Running this will create:

  • Gopkg.toml: a file where you can add restrictions and extra information about your package.
  • vendor: containing all of the dependencies for hello-vendor.
  • Gopkg.lock: an autogenerated file keeping track of the contents of vendor.

You should never edit vendor or Gopkg.lock directly, instead you should edit Gopkg.toml and use the dep binary.

Let's ensure that we are using the version 1.0.0 of logrus in our vendor directory. Simply change the stanza in Gopkg.toml and run:

$ dep ensure

Note: You will need to use a = before the version number in Gopkg.toml in order to ensure you're using that version and not a more recent one.

Did you see any changes in any of the files mentioned above? Try using a different version of logrus from this list.

Congratulations!

You know how to vendor the dependencies in a project and how to update to a newer version whenever that's needed!

This is the end of the chapter on workspace management, next we'll learn about how to actually write code. Continue with next chapter.