Eric Campbell 4 min read Go

Go Modules: Dependency Management

Go modules are the official dependency management system introduced in Go 1.11 and enabled by default since Go 1.13. They solved critical problems that plagued earlier Go development: the rigid...

Key Insights

  • Go modules eliminate GOPATH dependency and provide reproducible builds through semantic versioning and cryptographic checksums in go.sum
  • The replace directive is essential for local development and testing changes across multiple modules before publishing
  • Major version bumps (v2+) require either a subdirectory structure or a new import path to maintain backward compatibility

Introduction to Go Modules

Go modules are the official dependency management system introduced in Go 1.11 and enabled by default since Go 1.13. They solved critical problems that plagued earlier Go development: the rigid GOPATH workspace requirement, the complexity of vendoring tools, and the lack of explicit versioning.

Before modules, you had to structure all Go code under a single GOPATH directory, making it difficult to work on projects with conflicting dependency versions. Modules freed Go developers from this constraint while providing reproducible builds through semantic versioning and cryptographic verification.

A Go module is a collection of related Go packages versioned together as a single unit. Each module is defined by a go.mod file at its root:

module github.com/yourname/yourproject

go 1.21

require (
    github.com/gin-gonic/gin v1.9.1
    github.com/lib/pq v1.10.9
)

This simple file declares the module path, the minimum Go version, and its dependencies with specific versions. The companion go.sum file contains cryptographic checksums to ensure dependency integrity.

Initializing and Basic Module Operations

Creating a new module starts with go mod init. You provide a module path that serves as the import prefix for all packages in your module:

# For a GitHub project
go mod init github.com/username/project-name

# For a local-only project
go mod init myapp

This generates a minimal go.mod file. When you import packages and run go build, go test, or other Go commands, the module system automatically downloads dependencies and updates go.mod:

// main.go
package main

import (
    "github.com/gin-gonic/gin"
)

func main() {
    r := gin.Default()
    r.GET("/ping", func(c *gin.Context) {
        c.JSON(200, gin.H{"message": "pong"})
    })
    r.Run()
}

Running go build with this code automatically adds the Gin dependency:

go build
# Downloads github.com/gin-gonic/gin and its dependencies

Your go.mod now shows both direct and indirect dependencies:

module myapp

go 1.21

require github.com/gin-gonic/gin v1.9.1

require (
    github.com/bytedance/sonic v1.9.1 // indirect
    github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
    // ... more indirect dependencies
)

The go.sum file contains checksums for every dependency version, ensuring that the exact same code is used across all builds:

github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=

Managing Dependencies

The go get command is your primary tool for managing dependencies. You can specify exact versions, version ranges, or let Go select the latest compatible version:

# Add or update to the latest version
go get github.com/lib/pq

# Get a specific version
go get github.com/lib/pq@v1.10.9

# Get a specific commit
go get github.com/lib/pq@abc123

# Update to the latest minor/patch version
go get -u=patch github.com/lib/pq

# Update all dependencies
go get -u ./...

The go mod tidy command is essential for maintaining a clean go.mod file. It adds missing dependencies and removes unused ones:

go mod tidy

Run this regularly, especially before committing. It ensures your go.mod accurately reflects your actual imports.

To remove a dependency, delete the import statements from your code and run go mod tidy. The dependency will be removed from go.mod if no longer needed.

Understanding direct versus indirect dependencies matters for maintenance. Direct dependencies are packages you import directly. Indirect dependencies are required by your direct dependencies. Go marks indirect dependencies with // indirect:

require (
    github.com/gin-gonic/gin v1.9.1 // direct
    github.com/klauspost/cpuid/v2 v2.2.4 // indirect
)

Working with Replace and Exclude Directives

The replace directive is invaluable for local development. It redirects imports to a local directory or different repository:

module myapp

go 1.21

require github.com/yourname/library v1.2.3

// Use local version during development
replace github.com/yourname/library => ../library

This lets you test changes across multiple modules before publishing. You can also replace with a specific version or fork:

// Use a fork
replace github.com/original/package => github.com/yourname/package v1.3.0

// Use a different version than requested
replace github.com/pkg/errors v0.8.0 => github.com/pkg/errors v0.9.1

The exclude directive prevents specific versions from being used, useful when a particular release has critical bugs:

exclude github.com/problematic/package v1.2.3

When an excluded version is required, Go automatically selects the next available version.

Module Versioning and Publishing

Publishing a module version requires proper Git tagging. Go modules use semantic versioning (semver): vMAJOR.MINOR.PATCH.

# Tag a new release
git tag v1.0.0
git push origin v1.0.0

# Tag a patch release
git tag v1.0.1
git push origin v1.0.1

Major version 2 and above require special handling to maintain backward compatibility. You have two options: the subdirectory approach or the major branch approach. The subdirectory approach is more common:

# Create v2 in a subdirectory
mkdir v2
cp -r *.go go.mod v2/
cd v2
# Update go.mod module path

Your v2 go.mod:

module github.com/yourname/project/v2

go 1.21

Users can then import both versions simultaneously:

import (
    "github.com/yourname/project"     // v1
    projectv2 "github.com/yourname/project/v2" // v2
)

This allows gradual migration from v1 to v2 within the same codebase.

For pre-release versions, use suffixes:

git tag v1.0.0-beta.1
git tag v1.0.0-rc.1

Common Workflows and Troubleshooting

For private repositories, configure GOPRIVATE to bypass the public proxy:

# Single private repo
export GOPRIVATE=github.com/yourcompany/privaterepo

# All repos from your organization
export GOPRIVATE=github.com/yourcompany/*

# Multiple patterns
export GOPRIVATE=github.com/yourcompany/*,gitlab.com/othercompany/*

Vendoring copies all dependencies into a vendor directory in your module. This is useful for air-gapped environments or ensuring dependencies remain available:

go mod vendor

This creates a vendor directory. Go automatically uses vendored dependencies when present. Commit the vendor directory to your repository if you want guaranteed builds regardless of external availability.

Verify dependency integrity with:

go mod verify

This checks that dependencies in your module cache match the checksums in go.sum.

When dependency resolution fails, try these steps:

# Clear the module cache
go clean -modcache

# Re-download dependencies
go mod download

# Verify and tidy
go mod verify
go mod tidy

For debugging dependency issues, use:

# See why a dependency is required
go mod why github.com/some/package

# View the dependency graph
go mod graph

# List all modules
go list -m all

Go modules transformed dependency management from a source of frustration into a reliable, reproducible system. The key is understanding the core commands—go mod init, go mod tidy, and go get—and using replace directives during development. Proper versioning and the use of go.sum for verification ensure your builds remain consistent across environments. Master these fundamentals, and you’ll handle even complex multi-module projects with confidence.

Liked this? There's more.

Every week: one practical technique, explained simply, with code you can use immediately.