Recent searches
Search options
I'm increasingly starting to dislike the "simplicity" of #golang's "go mod" system. The lack of something resembling an idiomatic way to manage dev dependencies means contributing to a Go project often entails downloading several binaries (golangci-lint, gci, gofumpt, whatever) out of band, which versions must match those in CI. Those should just be dependencies of the project for fuck's sake! And managed as any other dependency. Any tool (which isn't Docker) that does this well for Go?
arc) @anderseknert I heard somewhere golang doesn't even have dependency version pinning/locking, is that true?
@arichtman Hmm, not sure what that would refer to, tbh. You can definitely pin a dependency either to a tag (this is the default) or a commit/ref. But could be there are nuances/flaws to the approach I'm not aware of. Summoning @www.jvt.me as he's the "dependency guy" lol
Yeah not sure where that came from but as you say, you can pin to a tag/commit, and Go's module proxy stops you from having someone re-push the value of a tag, once it's had someone download a dependency.
You also only pin, as there's no way to do a range, so IMO that makes it nicer and more explicit than other languages / toolchains with respect to pinning
@www.jvt.me Yeah, I was surprised when I pushed a tag for Regal by mistake some months back and thought I could get away with quickly deleting it without anyone noticing. But when I pushed that same tag later, Go mod would refuse to download it as it was "tampered with", lol. Fair enough, but they could at least wait 5 minutes before they store a tag to allow people to fuck things up and fix them, lol