A modern Go tool that automatically discovers major version upgrade opportunities, detects archived/deprecated dependencies, shows release dates and ages, fetches changelogs from GitHub, analyzes codebase impact, and generates actionable reports with live progress tracking.
- 🔍 Comprehensive Discovery - Finds all major version upgrades for your Go dependencies
- 🗄️ Archived Detection - Warns about deprecated/archived repositories (even when no upgrades exist)
- 📅 Release Dates & Ages - Shows when versions were released and how old they are
- ⚡ Parallel Execution - Worker pool scaled to 2x CPU cores for maximum speed
- 🌐 Vanity Import Support - Resolves k8s.io, go.uber.org, golang.org/x, etc.
- 📊 Impact Analysis - Identifies affected files and components in your codebase
- 💾 Smart Caching - 24-hour cache for faster repeat runs
- 🔐 GOPROXY/GOPRIVATE - Supports custom proxies and private modules
- 📈 Live Progress - Real-time progress bar with package names
- 🔗 Direct Links - Points to specific release tags, not generic pages
go run github.com/stackrox/go-dep-upgrade-checker@latestgo install github.com/stackrox/go-dep-upgrade-checker@latest
dep-upgrade-checker -output upgrade-report.mdgit clone https://github.com/stackrox/go-dep-upgrade-checker.git
cd go-dep-upgrade-checker
go build -o dep-upgrade-checker .
./dep-upgrade-checker -output report.md# Generate report for your project
dep-upgrade-checker -output upgrade-report.md
# Check specific package
dep-upgrade-checker -package github.com/google/go-github/v50
# Include indirect dependencies
dep-upgrade-checker -include-indirect -output full-report.md
# With GitHub token (recommended - increases rate limit 60/hr → 5000/hr)
GITHUB_TOKEN=ghp_xxx dep-upgrade-checker -output report.md# Use custom Go proxy
GOPROXY=https://goproxy.io dep-upgrade-checker -output report.md
# Skip private modules
GOPRIVATE=github.com/mycompany/* dep-upgrade-checker -output report.md# Clear cache
dep-upgrade-checker -clear-cache
# Show cache statistics
dep-upgrade-checker -cache-stats
# Disable cache
dep-upgrade-checker -no-cache -output report.md$ dep-upgrade-checker -output upgrade-report.md
Parsing go.mod...
Found 3 versioned dependencies
After filtering: 3 dependencies to check
Cache enabled (24h TTL)
Checking for available upgrades...
Checking go-github/v50 100% |███████████████| (3/3, 32 it/min)
Found 2 upgrade candidates
Checking for archived dependencies...
Found 1 archived dependencies without upgrades
Analyzing codebase impact...
Generating report...
Report written to upgrade-report.md# Dependency Major Version Upgrade Analysis
## Summary
- Upgrade candidates: 2
- ⚠️ Archived dependencies: 2
## Available Upgrades
### google/go-github: v50 → v84 (34 major versions)
**Current**: v50.0.0 (released 2023-01-26, 3 years, 1 month old)
**Latest**: v84.0.0 (released 2026-02-27)
**Impact**: 5 files affected (tools)
**Repository**: https://github.com/google/go-github
**Changelog**: https://github.com/google/go-github/releases/tag/v84.0.0
**Breaking Changes**:
- CHANGE: `CreateWorkflowDispatchEventByID` now returns `*WorkflowDispatchRunDetails`
- CHANGE: Split `IssuesService.List` into `ListAllIssues` and `ListUserIssues`
### mitchellh/hashstructure: v1 → v2 (1 major version)
**🗄️ ARCHIVED**: This repository is archived and no longer maintained
**Current**: v1.1.0 (released 2020-11-22, 5 years, 3 months old)
**Latest**: v2.0.2 (released 2021-05-27)
**Impact**: 3 files affected (central)
**Repository**: https://github.com/mitchellh/hashstructure
## Archived Dependencies (No Upgrades Available)
The following dependencies are archived and no longer maintained. You are currently on the latest version, but you should consider migrating to actively maintained alternatives.
### mitchellh/hashstructure: v2.0.2
**🗄️ ARCHIVED**: This repository is archived and no longer maintained
**Current Version**: v2.0.2
**Repository**: https://github.com/mitchellh/hashstructure📸 Click to see cached run example (much faster!)
$ dep-upgrade-checker -output upgrade-report.md
Parsing go.mod...
Found 3 versioned dependencies
After filtering: 3 dependencies to check
Cache enabled (24h TTL)
Checking for available upgrades...
Checking go-github/v50 100% |███████████████| (3/3, 1805 it/s)
Cache hits: 3/3
Found 2 upgrade candidates
Checking for archived dependencies...
Analyzing codebase impact...
Generating report...
Report written to upgrade-report.mdNotice the speed difference: 32 it/min → 1805 it/s (cached)!
Modern Go projects have hundreds of dependencies with major version suffixes (v2, v3, v4+). While tools like Dependabot handle patch/minor updates, no tooling exists to systematically discover major version upgrades and detect archived dependencies.
- 🔍 Manual, tedious discovery of upgrade opportunities
⚠️ No warning when dependencies become archived/deprecated- 📅 No visibility into how old your dependencies are
- 📊 No insight into breaking changes before upgrading
- 🎯 Difficulty prioritizing which upgrades to tackle first
- ✅ Automatic discovery of all major version upgrades
- ✅ Immediate alerts for archived/deprecated dependencies
- ✅ Clear visibility into dependency ages (e.g., "5 years, 3 months old")
- ✅ Extracted breaking changes from changelogs
- ✅ Impact analysis showing affected files and components
- ✅ Sorted by priority (version jump magnitude)
| Flag | Default | Description |
|---|---|---|
-gomod |
go.mod |
Path to go.mod file |
-output |
stdout | Output file path (Markdown) |
-package |
- | Filter by specific package path |
-include-indirect |
false |
Include indirect dependencies |
-include-replaced |
false |
Include replaced dependencies |
-no-cache |
false |
Disable caching |
-clear-cache |
- | Clear cache and exit |
-cache-stats |
- | Show cache statistics and exit |
Uses golang.org/x/mod/modfile to extract ALL dependencies:
- Packages with version suffixes (
/v2,/v3,/v4+) - Packages without suffixes (v1.x.x or v0.x.x)
- Infers major version from version string
Worker pool scaled to 2x CPU cores (minimum 4):
GitHub packages (fast - ~0.5s per package):
- One API call to fetch all tags
- Parses semantic versions instantly
- No iteration limits
Other packages (Go proxy - ~1-2s):
- Fetches from
proxy.golang.org/@v/list - Checks all major version paths
- Falls back to sequential queries if needed
Performance: With 8 cores, checks up to 16 packages simultaneously!
- Checks GitHub API for archived status
- Warns even when on latest version
- Helps identify migration needs early
- GitHub Releases API for dates
- Go module proxy for timestamps
- Human-readable age calculation
- Downgrade detection (warns if "upgrade" is older)
Automatically resolves to GitHub repositories:
k8s.io/*→github.com/kubernetes/*sigs.k8s.io/*→github.com/kubernetes-sigs/*go.uber.org/*→github.com/uber-go/*golang.org/x/*→github.com/golang/*google.golang.org/grpc→github.com/grpc/grpc-go
- Fetches
CHANGELOG.mdfrom main/master - Falls back to GitHub Releases
- Extracts breaking changes automatically
- Links directly to specific release tags
Native Go file walking to find affected files:
- Counts files importing the package
- Identifies components (central, sensor, etc.)
- No external dependencies
- 24-hour TTL for version data
- Stores changelog and impact analysis
- Skips unchanged dependencies
- Cache statistics available
Built with modern Go 1.25 patterns:
go-dep-upgrade-checker/
├── main.go # CLI entry point
├── parser.go # Parse go.mod (golang.org/x/mod)
├── version_checker.go # Parallel version queries with wg.Go()
├── github_client.go # GitHub API (go-github)
├── analyzer.go # Native Go file walking
├── report.go # Markdown generation
├── cache.go # Smart caching (24h TTL)
└── *_test.go # Test suite (56.6% coverage)
Modern Go Features Used:
wg.Go()for cleaner goroutine management (Go 1.25)max()builtin for min/max calculations (Go 1.21)for i := range nfor cleaner loops (Go 1.22)strings.CutPrefixfor efficient string ops (Go 1.20)strings.SplitSeqfor memory-efficient iteration (Go 1.24)
- Parallel execution: 10-15x faster than sequential
- Smart caching: Repeat runs are near-instant
- Memory efficient:
SplitSeqreduces allocations - Optimized: Uses compiler built-ins where possible
# Add to CI/cron
dep-upgrade-checker -output reports/$(date +%Y-%m)-upgrades.md# Analyze specific package before starting work
dep-upgrade-checker -package helm.sh/helm/v3# Find old, archived dependencies
dep-upgrade-checker -output aged-deps.md
# Review "Archived Dependencies" section# Fail CI if archived dependencies found
if dep-upgrade-checker | grep -q "ARCHIVED"; then
echo "Found archived dependencies!"
exit 1
fi- GitHub-only changelogs: Only fetches from GitHub-hosted packages
- Pattern-based analysis: Simple string matching for breaking changes
- Rate limits: GitHub API (use
GITHUB_TOKENfor higher limits) - No auto-upgrade: Generates reports only, doesn't modify code
Contributions welcome! This project uses modern Go 1.25 patterns.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Before submitting:
- Run
go test ./...to ensure tests pass - Run
go buildto ensure it compiles - Use modern Go patterns (see CLAUDE.md for guidelines)
- GitHub Actions integration example
- Interactive mode for selecting upgrades
- Dependency graph visualization
- Support for GitLab/Bitbucket
- Historical tracking over time
- Auto-generate PRs for upgrades
- Security vulnerability correlation
Apache License 2.0 - see LICENSE file for details.
Originally developed for StackRox to manage 179 direct and 353 indirect dependencies with modern Go 1.25 patterns.
- Dependabot - Automated patch/minor updates
- Renovate - Automated dependency updates
- go mod - Official Go module management
- govulncheck - Security vulnerability scanner
⭐ If this tool helps you manage your dependencies, please give it a star!
Built with ❤️ using modern Go 1.25 patterns