Dependency hygiene is critical for security, reproducibility, and developer experience. Follow these practices to ensure our module stays stable, up to date, and secure.
-
All dependencies must be managed via Go Modules (
go.mod,go.sum) -
After adding, updating, or removing imports, run:
go mod tidy
or via magex command:
magex deps:tidy-
Periodically refresh dependencies with:
go get -u ./...
or via magex command:
magex deps:update
Avoid unnecessary upgrades near release windows—review major version bumps carefully for breaking changes.
- Use govulncheck to identify known vulnerabilities:
govulncheck ./...- Run via magex command:
magex deps:audit- Run gitleaks before committing code to detect hardcoded secrets or sensitive data in the repository:
brew install gitleaks
gitleaks detect --source . --log-opts="--all" --verbose-
Address critical advisories before merging changes into
main/master -
Document any intentionally ignored vulnerabilities with clear justification and issue tracking
-
We follow the OpenSSF best practices to ensure this repository remains compliant with industry‑standard open source security guidelines
- Never manually edit
go.sum - Do not vendor dependencies; we rely on modules for reproducibility
- Lockstep upgrades across repos (when applicable) should be coordinated and noted in PRs
Changes to dependencies should be explained in the PR description and ideally linked to the reason (e.g., bug fix, security advisory, feature requirement).
-
Check for updates
go list -u -m all
-
Update minor/patch versions
go get -u ./... go mod tidy
-
Test thoroughly
magex test magex test:race magex bench -
Security scan
magex deps:audit
- Review breaking changes in release notes
- Update import paths if required
- Fix compilation errors
- Update tests for new behavior
- Document in PR what changed and why
- Configured in
.github/dependabot.yml - Checks for updates weekly
- Groups minor/patch updates
- Creates separate PRs for major versions
- Minor/patch updates with passing CI can auto-merge
- Major updates require manual review
- Security updates prioritized for review
go mod graphgo mod tidy -vgo mod download -json | jq '.Dir' | xargs du -sh | sort -h- Pin to specific versions in production
- Review licenses before adding dependencies
- Prefer standard library when possible
- Use minimal dependencies for core functionality
- Document unusual dependencies in code comments
- Use
latesttags in production - Import unused packages
- Use replace directives except for emergencies
- Add dependencies for trivial functionality
- Ignore security advisories
Before adding a new dependency, consider:
- Necessity: Can we implement this ourselves simply?
- Maintenance: Is the project actively maintained?
- Security: Any known vulnerabilities?
- License: Compatible with our project?
- Size: How much does it increase binary size?
- Quality: Well-tested? Good documentation?
- Dependencies: Does it bring many transitive dependencies?
Use replace only when absolutely necessary:
// Temporary fix for critical bug until upstream releases
replace github.com/broken/package v1.2.3 => github.com/fork/package v1.2.4-fixed
// Local development only - remove before committing
replace github.com/company/module => ../local-moduleDocument why the replacement is needed and track removal in an issue.
For private modules:
-
Configure authentication
git config --global url."git@github.com:company/".insteadOf "https://github.com/company/"
-
Set GOPRIVATE
export GOPRIVATE=github.com/company/*
-
Document setup in README for team members
# Show available updates
go list -u -m all | grep '\['
# Count total dependencies
go mod graph | wc -l# See what changed in go.mod
git diff go.mod
# Detailed view of go.sum changes
git diff go.sum | grep '^[+-]' | sortRegular dependency maintenance prevents security issues and reduces upgrade complexity.