An intro to dep: How to manage your Golang project dependencies

The Go community now has the dep project to manage dependencies.

dep — A Go dependency management tool


Update @ 2018–11–26: Technology is not just moving at a breakneck speed but also changing rapidly. Within a year, this article is OUTDATED!


And according to the dep project page:
dep was the “official experiment.” The Go toolchain, as of 1.11, has (experimentally) adopted an approach that sharply diverges from dep. As a result, we are continuing development of dep, but gearing work primarily towards the development of an alternative prototype for versioning behavior in the toolchain.

For more information about the new Go build-in management, please refer to the official GitHub Wiki — Go 1.11 Modules.

Thanks John Arundel @bitfield and Erhan Yakut @yakuter for revealing the problem. 🙇

The Go community now has the dep project to manage dependencies. Please consider trying to migrate from Glide to dep. Glide will continue to be supported for some time but is considered to be in a state of support rather than active feature development.

There is a plan about integrating dep into the toolchain in Go 1.10 release, but seems it still has a way to go.

Update @ 2018–02–03:
  • dep is officially released.
  • dep is not moving into the toolchain with 1.10. please refer to theroadmap for the latest information.

And I am just not fast enough. 🐌
And I am just not fast enough. 🐌

. . .

Create the project inside $GOPATH

The project folder has to be inside $GOPATH in order to resolve the Gopackage paths. Let’s create a new project at $GOPATH/src/gitlab.com/ykyuen/dep-example and add the following file.
main.go

. . .

The dep way


Gopkg.toml and Gopkg.lock

dep reads two files called Gopkg.toml and the Gopkg.lock. Let’s initialize these 2 files using the dep init command.
[ykyuen@camus dep-example]$ dep init Using master as constraint for direct dep github.com/dustin/go-humanize Locking in master (bb3d318) for direct dep github.com/dustin/go-humanize

As you can see, the dep init command scans the source codes and downloads all the packages needed for the project into the vendor folder.

The Gopkg.lock serves exactly the same function as the glide.lock file. It locks the version of the packages EXCEPT the version should be maintained in the Gopkg.toml. In short, the Gopkg.lock file is auto-generated and it depends on the import statements in the source version controlled by Gopkg.toml.


Update dependency’s version

Let’s edit the Gopkg.toml and use a slightly older version of the go-humanizepackage instead of the latest master branch.


Then run dep ensure to update the package to the desired version. The following is the diff of the updated Gopkg.lock.

. . .

Add a new dependency

New package could be added using the dep ensure -add command.
[ykyuen@camus dep-example]$ dep ensure -add github.com/leekchan/accounting Fetching sources...
"github.com/leekchan/accounting" is not imported by your project, and has been temporarily added to Gopkg.lock and vendor/. If you run "dep ensure" again before actually importing it, it will disappear from Gopkg.lock and vendor/.

Now we have the new accounting package ready in the vendor folder with new constraints written to Gopkg.toml and locked in Gopkg.lock. Let’s update the main.go as follow.
main.go
And run it.
[ykyuen@camus dep-example]$ go run main.go hello world That file is 83 MB. You're my 193rd best friend. You owe $6,582,491. $123,456,789.21 $12,345,678.00 $25,925,925.67 -$25,925,925.67 $123,456,789.21


The issue with git submodule

One major difference of dep compared to Glide is the package’s submodule is ignored. For example, after adding the go-goracle/goracle package by dep, the odpi submodule inside is empty and leads to error. The reason for dropping the submodule could be found at the following link.
Update @ 2018–02–03:
The paragraph about Git submodules is incorrect.
Sam Boyer wrote:
dep should be perfectly fine at pulling in git submodules in the case you describe. I just replicated what you describe here locally, and the problem isn’t submodules — it’s that there’s no Go code in github.com/go-goracle/goracle/odpi, so it can’t be imported directly.
You likely need to turn off unused-packages pruning in Gopkg.toml for that project specifically, as otherwise dep ensure will automatically remove what appears to be an unused directly (but it seems it’s actually used by cgo).

Update @ 2018–03–04:
It is found that the go-goracle/goracle package doesn’t work with dep. You could follow the issue below and check the latest update from the dep team.
. . .

Summary

  • d̶̵̶e̶̵̶p̶̵̶ ̶̵̶i̶̵̶s̶̵̶ ̶̵̶q̶̵̶u̶̵̶i̶̵̶t̶̵̶e̶̵̶ ̶̵̶l̶̵̶i̶̵̶k̶̵̶e̶̵̶l̶̵̶y̶̵̶ ̶̵̶t̶̵̶o̶̵̶ ̶̵̶b̶̵̶e̶̵̶ ̶̵̶t̶̵̶h̶̵̶e̶̵̶ ̶̵̶o̶̵̶f̶̵̶f̶̵̶i̶̵̶c̶̵̶i̶̵̶a̶̵̶l̶̵̶ ̶̵̶d̶̵̶e̶̵̶p̶̵̶e̶̵̶n̶̵̶d̶̵̶e̶̵̶n̶̵̶c̶̵̶y̶̵̶ ̶̵̶m̶̵̶a̶̵̶n̶̵̶a̶̵̶g̶̵̶e̶̵̶m̶̵̶e̶̵̶n̶̵̶t̶̵̶ ̶̵̶t̶̵̶o̶̵̶o̶̵̶l̶̵̶ ̶̵̶i̶̵̶n̶̵̶ ̶̵̶t̶̵̶h̶̵̶e̶̵̶ ̶̵̶G̶̵̶o̶̵̶l̶̵̶a̶̵̶n̶̵̶g̶̵̶ ̶̵̶c̶̵̶o̶̵̶m̶̵̶m̶̵̶u̶̵̶n̶̵̶i̶̵̶t̶̵̶y̶̵̶.̶̵̶
  • I̶̵̶f̶̵̶ ̶̵̶y̶̵̶o̶̵̶u̶̵̶ ̶̵̶a̶̵̶r̶̵̶e̶̵̶ ̶̵̶s̶̵̶t̶̵̶a̶̵̶r̶̵̶t̶̵̶i̶̵̶n̶̵̶g̶̵̶ ̶̵̶a̶̵̶ ̶̵̶n̶̵̶e̶̵̶w̶̵̶ ̶̵̶G̶̵̶o̶̵̶l̶̵̶a̶̵̶n̶̵̶g̶̵̶ ̶̵̶p̶̵̶r̶̵̶o̶̵̶j̶̵̶e̶̵̶c̶̵̶t̶̵̶,̶̵̶ ̶̵̶d̶̵̶e̶̵̶p̶̵̶ ̶̵̶i̶̵̶s̶̵̶ ̶̵̶g̶̵̶o̶̵̶o̶̵̶d̶̵̶ ̶̵̶t̶̵̶o̶̵̶ ̶̵̶g̶̵̶o̶̵̶.̶̵̶
  • I̶f̶ ̶y̶o̶u̶ ̶a̶r̶e̶ ̶u̶s̶i̶n̶g̶ ̶G̶l̶i̶d̶e̶ ̶i̶n̶ ̶a̶ ̶l̶e̶g̶a̶c̶y̶ ̶p̶r̶o̶j̶e̶c̶t̶.̶ ̶Y̶o̶u̶ ̶c̶o̶u̶l̶d̶ ̶c̶o̶n̶s̶i̶d̶e̶r̶ ̶m̶i̶g̶r̶a̶t̶i̶n̶g̶ ̶t̶o̶ ̶d̶e̶p̶ ̶b̶u̶t̶ ̶i̶ ̶t̶h̶i̶n̶k̶ ̶t̶h̶e̶r̶e̶ ̶i̶s̶ ̶n̶o̶ ̶h̶a̶r̶m̶ ̶t̶o̶ ̶k̶e̶e̶p̶ ̶u̶s̶i̶n̶g̶ ̶G̶l̶i̶d̶e̶ ̶f̶o̶r̶ ̶a̶ ̶w̶h̶i̶l̶e̶ ̶u̶n̶t̶i̶l̶ ̶d̶e̶p̶ ̶i̶s̶ ̶o̶f̶f̶i̶c̶i̶a̶l̶l̶y̶ ̶r̶e̶l̶e̶a̶s̶e̶d̶.̶
  • I̶n̶ ̶a̶d̶d̶i̶t̶i̶o̶n̶,̶ ̶m̶i̶s̶s̶i̶n̶g̶ ̶p̶a̶c̶k̶a̶g̶e̶’̶s̶ ̶s̶u̶b̶m̶o̶d̶u̶l̶e̶ ̶m̶a̶y̶ ̶r̶e̶s̶u̶l̶t̶ ̶i̶n̶ ̶m̶a̶l̶f̶u̶n̶c̶t̶i̶o̶n̶ ̶o̶f̶ ̶y̶o̶u̶r̶ ̶c̶o̶d̶e̶.̶
  • dep is officially released.
  • dep works well on pulling git submodule.
  • Use standard library wherever possible.
  • You can checkout this example on gitlab.com.

Never miss a post from Chris Gregori, when you sign up for Ednsquare.