by Ying Kit Yuen
An intro to dep: How to manage your Golang project dependencies
Update @ 2018–11–26: Technology is not just moving at a breakneck speed but also changing rapidly. Within a year, this article is OUTDATED!
And according to the dep project page:
dep was the “official experiment.” The Go toolchain, as of 1.11, has (experimentally) adopted an approach that sharply diverges from dep. As a result, we are continuing development of dep, but gearing work primarily towards the development of an alternative prototype for versioning behavior in the toolchain.
For more information about the new Go build-in management, please refer to the official GitHub Wiki — Go 1.11 Modules.
Previously, I posted an article about dependency management in Go using Glide. I got a feedback that Glide will become obsolete. The Glide team is suggesting users move to another dependency management tool called dep written by the Golang team.
The Go community now has the dep project to manage dependencies. Please consider trying to migrate from Glide to dep. Glide will continue to be supported for some time but is considered to be in a state of support rather than active feature development.
Update @ 2018–02–03:
- dep is officially released.
- dep is not moving into the toolchain with 1.10. please refer to the roadmap for the latest information.
Create the project inside $GOPATH
The project folder has to be inside $GOPATH in order to resolve the Gopackage paths. Let’s create a new project at $GOPATH/src/gitlab.com/ykyuen/dep-example and add the following file.
The dep way
Gopkg.toml and Gopkg.lock
dep reads two files called Gopkg.toml and the Gopkg.lock. Let’s initialize these 2 files using the dep init command.
[ykyuen@camus dep-example]$ dep init Using master as constraint for direct dep github.com/dustin/go-humanize Locking in master (bb3d318) for direct dep github.com/dustin/go-humanize
As you can see, the dep init command scans the source codes and downloads all the packages needed for the project into the vendor folder.
The Gopkg.lock serves exactly the same function as the glide.lock file. It locks the version of the packages EXCEPT the version should be maintained in the Gopkg.toml. In short, the Gopkg.lock file is auto-generated and it depends on the import statements in the source version controlled by Gopkg.toml.
Update dependency’s version
Let’s edit the Gopkg.toml and use a slightly older version of the go-humanize package instead of the latest master branch.
Then run dep ensure to update the package to the desired version. The following is the diff of the updated Gopkg.lock.
Add a new dependency
New package could be added using the dep ensure -add command.
[ykyuen@camus dep-example]$ dep ensure -add github.com/leekchan/accountingFetching sources...
"github.com/leekchan/accounting" is not imported by your project, and has been temporarily added to Gopkg.lock and vendor/.If you run "dep ensure" again before actually importing it, it will disappear from Gopkg.lock and vendor/.
Now we have the new accounting package ready in the vendor folder with new constraints written to Gopkg.toml and locked in Gopkg.lock. Let’s update the main.go as follow.
And run it.
[ykyuen@camus dep-example]$ go run main.gohello worldThat file is 83 MB.You're my 193rd best friend.You owe $6,582,491.$123,456,789.21$12,345,678.00$25,925,925.67-$25,925,925.67$123,456,789.21
The issue with git submodule
One major difference of dep compared to Glide is the package’s submodule is ignored. For example, after adding the go-goracle/goracle package by dep, the odpi submodule inside is empty and leads to error. The reason for dropping the submodule could be found at the following link.
Update @ 2018–02–03:
The paragraph about Git submodules is incorrect.
Sam Boyer wrote:
dep should be perfectly fine at pulling in git submodules in the case you describe. I just replicated what you describe here locally, and the problem isn’t submodules — it’s that there’s no Go code in github.com/go-goracle/goracle/odpi, so it can’t be imported directly.
You likely need to turn off unused-packages pruning in Gopkg.toml for that project specifically, as otherwise dep ensure will automatically remove what appears to be an unused directly (but it seems it’s actually used by cgo).
Update @ 2018–03–04:
- d̶̵̶e̶̵̶p̶̵̶ ̶̵̶i̶̵̶s̶̵̶ ̶̵̶q̶̵̶u̶̵̶i̶̵̶t̶̵̶e̶̵̶ ̶̵̶l̶̵̶i̶̵̶k̶̵̶e̶̵̶l̶̵̶y̶̵̶ ̶̵̶t̶̵̶o̶̵̶ ̶̵̶b̶̵̶e̶̵̶ ̶̵̶t̶̵̶h̶̵̶e̶̵̶ ̶̵̶o̶̵̶f̶̵̶f̶̵̶i̶̵̶c̶̵̶i̶̵̶a̶̵̶l̶̵̶ ̶̵̶d̶̵̶e̶̵̶p̶̵̶e̶̵̶n̶̵̶d̶̵̶e̶̵̶n̶̵̶c̶̵̶y̶̵̶ ̶̵̶m̶̵̶a̶̵̶n̶̵̶a̶̵̶g̶̵̶e̶̵̶m̶̵̶e̶̵̶n̶̵̶t̶̵̶ ̶̵̶t̶̵̶o̶̵̶o̶̵̶l̶̵̶ ̶̵̶i̶̵̶n̶̵̶ ̶̵̶t̶̵̶h̶̵̶e̶̵̶ ̶̵̶G̶̵̶o̶̵̶l̶̵̶a̶̵̶n̶̵̶g̶̵̶ ̶̵̶c̶̵̶o̶̵̶m̶̵̶m̶̵̶u̶̵̶n̶̵̶i̶̵̶t̶̵̶y̶̵̶.̶̵̶
- I̶̵̶f̶̵̶ ̶̵̶y̶̵̶o̶̵̶u̶̵̶ ̶̵̶a̶̵̶r̶̵̶e̶̵̶ ̶̵̶s̶̵̶t̶̵̶a̶̵̶r̶̵̶t̶̵̶i̶̵̶n̶̵̶g̶̵̶ ̶̵̶a̶̵̶ ̶̵̶n̶̵̶e̶̵̶w̶̵̶ ̶̵̶G̶̵̶o̶̵̶l̶̵̶a̶̵̶n̶̵̶g̶̵̶ ̶̵̶p̶̵̶r̶̵̶o̶̵̶j̶̵̶e̶̵̶c̶̵̶t̶̵̶,̶̵̶ ̶̵̶d̶̵̶e̶̵̶p̶̵̶ ̶̵̶i̶̵̶s̶̵̶ ̶̵̶g̶̵̶o̶̵̶o̶̵̶d̶̵̶ ̶̵̶t̶̵̶o̶̵̶ ̶̵̶g̶̵̶o̶̵̶.̶̵̶
- I̶f̶ ̶y̶o̶u̶ ̶a̶r̶e̶ ̶u̶s̶i̶n̶g̶ ̶G̶l̶i̶d̶e̶ ̶i̶n̶ ̶a̶ ̶l̶e̶g̶a̶c̶y̶ ̶p̶r̶o̶j̶e̶c̶t̶.̶ ̶Y̶o̶u̶ ̶c̶o̶u̶l̶d̶ ̶c̶o̶n̶s̶i̶d̶e̶r̶ ̶m̶i̶g̶r̶a̶t̶i̶n̶g̶ ̶t̶o̶ ̶d̶e̶p̶ ̶b̶u̶t̶ ̶i̶ ̶t̶h̶i̶n̶k̶ ̶t̶h̶e̶r̶e̶ ̶i̶s̶ ̶n̶o̶ ̶h̶a̶r̶m̶ ̶t̶o̶ ̶k̶e̶e̶p̶ ̶u̶s̶i̶n̶g̶ ̶G̶l̶i̶d̶e̶ ̶f̶o̶r̶ ̶a̶ ̶w̶h̶i̶l̶e̶ ̶u̶n̶t̶i̶l̶ ̶d̶e̶p̶ ̶i̶s̶ ̶o̶f̶f̶i̶c̶i̶a̶l̶l̶y̶ ̶r̶e̶l̶e̶a̶s̶e̶d̶.̶
- I̶n̶ ̶a̶d̶d̶i̶t̶i̶o̶n̶,̶ ̶m̶i̶s̶s̶i̶n̶g̶ ̶p̶a̶c̶k̶a̶g̶e̶’̶s̶ ̶s̶u̶b̶m̶o̶d̶u̶l̶e̶ ̶m̶a̶y̶ ̶r̶e̶s̶u̶l̶t̶ ̶i̶n̶ ̶m̶a̶l̶f̶u̶n̶c̶t̶i̶o̶n̶ ̶o̶f̶ ̶y̶o̶u̶r̶ ̶c̶o̶d̶e̶.̶
- dep is officially released.
- dep works well on pulling git submodule.
- Use standard library wherever possible. (Suggested by philoserf)
- You can checkout this example on gitlab.com.
— Originally posted on Boatswain Blog.