Traditionally, Go has handled dependencies by installing them all in the same directory under
$GOPATH/src. This works fine if you’re working on a small application you do not care too much
about; but if the project is large or has lots of developers, version locking dependencies becomes a
must, lest library version mismatches will ruin your day.
Version locking dependencies is typically not a problem for the more popular languages; however since Go keeps all dependencies in one area, you could not have more than one version of the same dependency installed. How the community got around this limitation was to abuse go subpackages to store dependencies using tools like Godep. The problem with this approach is that you end up with ridiculously long import paths that are a pain to manage and make vim scream.
import ( "html/template" "net/http" // Try checking at a glance at what this really is. "github.com/reshurum/really-long-app-name/Godeps/_workspace/src/github.com/gorilla/mux" "github.com/reshurum/really-long-app-name/Godeps/_workspace/src/github.com/gorilla/sessions" )
With the release of Go 1.5, an experimental environment variable called
added to solve this problem. The only problem is that it’s not enabled by default so you have to
make it clear to contributors it’s required. With the upcoming release of Go 1.6 vendoring
is now enabled by default and considered stable.
Vendoring allows Go projects to put dependencies in directory called
vendor, and these
dependencies can be referenced using the traditional method.
import ( "html/template" "net/http" // These will reference the versions under vendor if they exist and fall // back to $GOPATH/src if not available. "github.com/gorilla/mux" "github.com/gorilla/sessions" )
go get will not manage vendor directories though and leaves that job to tools like
Glide. Glide will set up lock files and keep track of
project dependencies using a project specific configuration file. These tools are not required and
it is up to developers to decide how they want to manage their dependencies.
All in all, dependency management in Go is much less of a pain with vendoring considered stable in
the upcoming release of Go 1.6.
At the time of this writing, Go 1.6 has yet to release and a
release candidate version can be found here. Go 1.6 is now
released and can be downloaded here.