depaware makes you aware of your Go dependencies

depaware

depaware makes you aware of your Go dependencies.

It generates a list of your dependencies which you check in to your repo:

https://github.com/tailscale/tailscale/blob/main/cmd/tailscaled/depaware.txt

Then you and others can easily see what your dependencies are, how they vary by operating system (the letters L(inux), D(arwin), W(indows) in the left column), and whether they use unsafe/cgo (bomb icon).

Then you hook it up to your CI so it's a build breakage if they're not up to date:

https://github.com/tailscale/tailscale/blob/main/.github/workflows/depaware.yml

Then during code review you'll see in your review whether/how your dependencies changed, and you can decide whether that's appropriate.

You'll probably want to pin a specific vesion of the depaware tool in your go.mod file that survives a "go mod tidy". You can add a file like this to your project:

https://github.com/tailscale/tailscale/commit/7795fcf4649ce4ddc2a5b345cb56516fa161b4b3

Owner
Tailscale
Tailscale is a WireGuard-based app that makes secure, private networks easy for teams of any scale.
Tailscale
https://github.com/tailscale/depaware
Comments
  • reduce diffs due to introducing lexicographically prior importing packages

    reduce diffs due to introducing lexicographically prior importing packages

    depaware.txt diffs can be very noisy. See e.g. the diff in https://github.com/tailscale/depaware/pull/3/commits. Many of those changes are of the form:

    -        bytes                                                        from encoding/json+
+        bytes                                                        from bufio+

    I propose that when a package is imported by >1 package, we write <multiple packages> instead of using lexifirst+. This provides less information, but will be much more stable.

    Optionally, we could also add a -all flag (better name welcome) that spells out every single importing package like bufio,encoding/json, instead of <multiple packages>. That would be useful for someone actively trying to cut dependencies. And teams might choose to use it all the time; with a good intra-line diff, it'd generate usable diffs again.

    I'm willing to implementation, but feedback on design requested first.

  • depaware: -update flag ignored if used in the wrong place

    depaware: -update flag ignored if used in the wrong place

    go run github.com/tailscale/depaware -check tailscale.io/cmd/cmdname -update

    Running this does a -check and completely ignores -update, producing no error message.

  • depaware: adjust to breaking change in golang.org/x/tools

    depaware: adjust to breaking change in golang.org/x/tools

    https://go-review.googlesource.com/c/tools/+/270038 zeroed out the environment when executing 'go list' if packages.Config.Env was non-empty.

    Put os.Environ back in there.

  • Separate unsafe and cgo

    Separate unsafe and cgo

    While both might be problematic in terms of GC or race detection, CGO can introduce additional issues for cross-compiling. It would be great if CGO was recognizable on its own. Maybe different bomb types or bombs plus U/C code?

  • consider showing test-only dependencies

    consider showing test-only dependencies

    The ability to more easily see what are test-only dependencies for modules is a common request for cmd/go.

    Consider supporting it here, either by highlighting a test-only dependency or by highlighting a non-test dependency.

    There are different ways to determine this, but one way is this, which shows the modules used in your build excluding test-only dependencies:

    go list -deps -f '{{with .Module}}{{.Path}} {{.Version}}{{end}}' ./... | sort -u
Related tags
Package Management depaware
Vendor Go dependencies

nut Gophers love nuts. nut is a tool that allows Go projects to declare dependencies, download dependencies, rewrite import paths and ensure that depe

Sep 27, 2022
Gohack: mutable checkouts of Go module dependencies

Gohack: mutable checkouts of Go module dependencies The new Go module system is awesome. It ensures repeatable, deterministic builds of Go code.

Dec 12, 2022
Go-htutil - Go HTTP utilities, with no dependencies

snai.pe/go-htutil go get snai.pe/go-htutil Go HTTP utilities with no dependenci

Jan 26, 2022
Checks if there are any updates for imports in your module.

Go Up goup checks if there are any updates for imports in your module. It parses go.mod files to get dependencies with their version, uses go-git to r

Jul 7, 2022
Find outdated dependencies of your Go projects. go-mod-outdated provides a table view of the go list -u -m -json all command which lists all dependencies of a Go project and their available minor and patch updates. It also provides a way to filter indirect dependencies and dependencies without updates.

go-mod-outdated An easy way to find outdated dependencies of your Go projects. go-mod-outdated provides a table view of the go list -u -m -json all co

Dec 28, 2022
Assembly syntax that makes you feel like you're writing code in a high-level language.

shasm Assembly syntax that makes you feel like you're writing code in a high-level language. Shasm is not an Assembler. Shasm simply compiles Shasm sy

Jun 5, 2021
A library built to provide support for defining service health for golang services. It allows you to register async health checks for your dependencies and the service itself, provides a health endpoint that exposes their status, and health metrics.
 A library built to provide support for defining service health for golang services. It allows you to register async health checks for your dependencies and the service itself, provides a health endpoint that exposes their status, and health metrics.

go-sundheit A library built to provide support for defining service health for golang services. It allows you to register async health checks for your

Dec 27, 2022
GoThanks automatically stars Go's official repository and your go.mod github dependencies, providing a simple way to say thanks to the maintainers of the modules you use and the contributors of Go itself.
 GoThanks automatically stars Go's official repository and your go.mod github dependencies, providing a simple way to say thanks to the maintainers of the modules you use and the contributors of Go itself.

Give thanks (in the form of a GitHub ★) to your fellow Go modules maintainers. About GoThanks performs the following operations Sends a star to Go's r

Dec 24, 2022
go mod vendor lets you check in your dependencies to git, but that's both bloaty (for developers) and tedious (remembering to update it).

go-mod-archiver Afraid of being unable to build historical versions of your Go program? go mod vendor lets you check in your dependencies to git, but

Dec 1, 2022
A quick and easy password protected web server for your files. httpfolder makes downloading/uploading files from your current working directory easy, even for fairly large files.

httpfolder A quick and easy password protected web server for your files. httpfolder makes downloading/uploading files from your current working direc

Sep 12, 2022
DataHen Till is a standalone tool that instantly makes your existing web scraper scalable, maintainable, and more unblockable, with minimal code changes on your scraper.
 DataHen Till is a standalone tool that instantly makes your existing web scraper scalable, maintainable, and more unblockable, with minimal code changes on your scraper.

DataHen Till is a standalone tool that instantly makes your existing web scraper scalable, maintainable, and more unblockable, with minimal code changes on your scraper.

Dec 14, 2022
Kusk makes your OpenAPI definition the source of truth for API resources in your cluster
 Kusk makes your OpenAPI definition the source of truth for API resources in your cluster

Kusk - use OpenAPI to configure Kubernetes What is Kusk? Developers deploying their REST APIs in Kubernetes shouldn't have to worry about managing res

Dec 16, 2022
PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. You can use PHP like functions in your app, module etc. when you add this module to your project.

PHP Functions for Golang - phpfuncs PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. Y

Dec 30, 2022
A command line tool that builds and (re)starts your web application everytime you save a Go or template fileA command line tool that builds and (re)starts your web application everytime you save a Go or template file

# Fresh Fresh is a command line tool that builds and (re)starts your web application everytime you save a Go or template file. If the web framework yo

Nov 22, 2021
A fast data generator that's multi-table aware and supports multi-row DML.
 A fast data generator that's multi-table aware and supports multi-row DML.

If you need to generate a lot of random data for your database tables but don't want to spend hours configuring a custom tool for the job, then datage

Dec 26, 2022
gpool - a generic context-aware resizable goroutines pool to bound concurrency based on semaphore.

gpool - a generic context-aware resizable goroutines pool to bound concurrency. Installation $ go get github.com/sherifabdlnaby/gpool import "github.c

Oct 31, 2022
xlog is a logger for net/context aware HTTP applications
 xlog is a logger for net/context aware HTTP applications

⚠️ Check zerolog, the successor of xlog. HTTP Handler Logger xlog is a logger for net/context aware HTTP applications. Unlike most loggers, xlog will

Sep 26, 2022
xmux is a httprouter fork on top of xhandler (net/context aware)

Xmux Xmux is a lightweight high performance HTTP request muxer on top xhandler. Xmux gets its speed from the fork of the amazing httprouter. Route par

Sep 28, 2022
Pomerium is an identity-aware access proxy.

Pomerium is an identity-aware proxy that enables secure access to internal applications. Pomerium provides a standardized interface to add access cont

Jan 1, 2023
A collection of (ANSI-sequence aware) text reflow operations & algorithms
 A collection of (ANSI-sequence aware) text reflow operations & algorithms

reflow A collection of ANSI-aware methods and io.Writers helping you to transform blocks of text. This means you can still style your terminal output

Dec 29, 2022