Vendoring & Versioning with Go

4 November 2016

Chris Roche

Software Engineer, Lyft

Go's Vendoring History

In the beginning, there was the mono-repo

Go 1.0 - 1.4 : WYSIWYG

Path to ./vendor

Go 1.5 (Aug 2015)
- Enabled use of the ./vendor directory
- Disabled by default

Go 1.6 (Feb 2016)
- Enabled by default

Go 1.7 (Aug 2017)
- Cannot disable

How does it work?

First: ./vendor
- From: ""
- To: ""
- Never import vendor (compilation will fail or behave strangely)
- Commit or not to commit? (up to preference)

Second: $GOPATH/src
- This is how subpackages of a project are loaded
- Useful for testing/debugging libraries in dependent's context

Finally: $GOROOT/src
- Standard Library exclusively
- Never ever ever touch/add to these

Sidebar: Versioning Go with Gimme

brew install gimme # other ways (it's just a shell script)
gimme 1.7.3
go version
go version go1.7.3 darwin/amd64

Configure in your bash/zsh profile:

source $HOME/.gimme/envs/latest.env

Configure in IntelliJ (per project):

Vendoring/Versioning Tools



Ecosystem: $HOME/.glide

Ecosystem: ./glide.yaml


- package:
  version: unstable-branch
- package:
  version: ^1.2.3

- package:
  - assert

Ecosystem: ./glide.lock

hash: d8dc02f36d3bd58163dfc37dfd022a8539e31258d8f2c2ad417ef8f3d6d76d2a
updated: 2016-10-06T17:33:31.683461401-04:00
- name:
  version: 74a703abb31ea9faf7622930e5daba1559b01b37

glide init: Starting a New Project

glide init
[INFO]  Generating a YAML configuration file and guessing the dependencies
[INFO]  Attempting to import from other package managers (use --skip-import to skip)
[INFO]  Scanning code to look for dependencies
[INFO]  --> Found reference to
[INFO]  --> Found reference to
[INFO]  Writing configuration file (glide.yaml)

glide update: Update All Deps and Lock

glide update
[INFO]  Downloading dependencies. Please wait...
[INFO]  --> Fetching updates for
[INFO]  --> Fetching
[INFO]  Resolving imports
[INFO]  --> Fetching
[INFO]  Downloading dependencies. Please wait...
[INFO]  Setting references for remaining imports
[INFO]  Exporting resolved dependencies...
[INFO]  --> Exporting
[INFO]  --> Exporting
[INFO]  --> Exporting
[INFO]  Replacing existing vendor dependencies
[INFO]  Project relies on 3 dependencies.

glide install: Dependencies from Lock

glide install
[INFO]  Downloading dependencies. Please wait...
[INFO]  --> Found desired version locally 77ed1c8a01217656d2080ad51981f6e99adaa177!
[INFO]  --> Found desired version locally d15fa2e2a63dd52104bc96d8ea7dc47ce8027de8!
[INFO]  --> Found desired version locally 9fa8f10901c17b49ed52a824cf9226006580a06d!
[INFO]  Setting references.
[INFO]  --> Setting version for to 77ed1c8a01217656d2080ad51981f6e99adaa177.
[INFO]  --> Setting version for to d15fa2e2a63dd52104bc96d8ea7dc47ce8027de8.
[INFO]  --> Setting version for to 9fa8f10901c17b49ed52a824cf9226006580a06d.
[INFO]  Exporting resolved dependencies...
[INFO]  --> Exporting
[INFO]  --> Exporting
[INFO]  --> Exporting
[INFO]  Replacing existing vendor dependencies

glide get: Add a dependency

glide get


Using `master` does what you expect

Updates are predictable


[WARN] Lock file may be out of date. Hash check of YAML failed. You may need to run 'update'



glide update

[WARN] Version not set for package



That package should not be installing

Failed to update/download/"set version" on

When in doubt?

Working with Local Dependencies


Glide Docs

Package Management Official Proposal

Thank you

Chris Roche

Software Engineer, Lyft

Use the left and right arrow keys or click the left and right edges of the page to navigate between slides.
(Press 'H' or navigate to hide this message.)