dep - Pin Executable Version

2 minute read Published:

Along with managing project dependencies, dep also provides a way to manage the development tools (linters, generators, etc) to be used with the project. This can be done by adding the tool’s full package path in the required field in the manifest file (Gopkg.toml). Unlike other fields, required considers packages, not project. Hence, if a project wants to install a tool, say dep, required should contain github.com/golang/dep/cmd/dep.

required = ["github.com/golang/dep/cmd/dep"]

If a project doesn’t contain any import path of a package, required field can be used to tell dep to include that. When dep ensure is run with required field in manifest, dep would analyze the packages in the required field and create a list of all the packages they depend on individually. These list of packages are then written into the lock file under separate packages. For example, package list of github.com/golang/dep/cmd/dep in Gopkg.lock would look like this:

  name = "github.com/golang/dep"
  packages = [
  revision = "8ddfc8afb2d520d41997ebddd921b52152706c01"
  version = "v0.3.2"

This packages list is used by dep to understand which packages are required for a proper reproducible build. This list is also used while pruning to figure out which packages are required and should not be pruned.

To set a constraint on the packages in required field, separate [[constraint]] for the same projects can be added in the manifest with the required version. For example, continuing with the above example of dep executable, constraint for dep could be:

  name = "github.com/golang/dep"
  version = "=0.3.2"

dep would combine the required and constraint fields to determine the version of the package to download.

comments powered by Disqus