Go Dependency Management

Discussions center on the history, challenges, and evolution of package and dependency management in Go, including tools like dep, vgo, and go modules, with debates on whether issues are resolved.

📉 Falling 0.5x Programming Languages

3,046

Comments

Years Active

Top Authors

#5600

Topic ID

Activity Over Time

2009

2010

2011

2012

2013

172

2014

165

2015

201

2016

210

2017

165

2018

501

2019

214

2020

255

2021

194

2022

280

2023

234

2024

184

2025

215

2026

Top Contributors

verdverm (28) grey-area (27) lobster_johnson (25) skybrian (25) TheDong (25)

Keywords

JS S3 Crates.io HEAD CSP FAQ reddit.com TileStache google.com PackageManagementTools dependency dependency management package management modules code package management dependencies versioning io

Sample Comments

pawalt • May 14, 2020 • View on HN

This hasn't been a thing in Go for a long time. Go dep and now go modules fix this.

vesak • Aug 14, 2018 • View on HN

What is the current recommendation for dependency management in Go for a new project?

treve • Jul 27, 2016 • View on HN

Is go package management still an unsolved problem then?

kitsune_ • Jun 3, 2014 • View on HN

I've created a couple of projects in Go so far (a map server, similar to TileStache etc.) - Sure, the lack of generics is annoying, but I think the real elephant in the room is dependency and package management. The way Go expects you to organize your source code (the workspace concept, GOPATH, go get and github-repos as import paths) is a huge road block here. To this day the Go community hasn't settled on any kind of solution. If you bring any of this up on the mailing list you'

cletus • Sep 8, 2022 • View on HN

Several reasons:1. Finding dependencies with tooling now requires parsing code. Luckily Go's syntax is relatively simple and doesn't have conditional includes like C++ does but it'd be better if you could simply inspect a depedency configuration;2. You're directly importing potentially untrusted code that will often be of the form "github.io/someuser/reponame" so you now have a depedency on some random user's security practices or even just whim

allover • Jun 7, 2018 • View on HN

The go team recognise there's a fundamental problem with it, otherwise they wouldn't have created dep and vgo [1][1] https://github.com/golang/go/issues/24301

puika • Apr 19, 2024 • View on HN

This hasn't been the case since go modules exist, if I understand your issue correctly: https://go.dev/blog/using-go-modules. You can additionally vendor each project's dependencies

jatone • Apr 19, 2020 • View on HN

no have no idea what you're talking about. these problems don't exist anymore since godep and now go modules which is builtin to standard go tooling.

angryfeller • Dec 15, 2021 • View on HN

npm is just another layer on top of git. go uses git directly. how is that any worse?

kodr • Apr 2, 2017 • View on HN

Go doesn't really have a package manager (and that's a problem), it pulls the sources of the dependencies from github for example. There are multiple tools [1] to manage versioning, but Google only released recently (end of january) an official tool, still in beta.[1] https://github.com/golang/go/wiki/PackageManagementTools