ホーム/AI コード生成・品質/golang-dependency-management
G

golang-dependency-management

by @samberv
4.6(20)

Goプロジェクトの依存性要件を評価。外部パッケージよりも標準ライブラリを優先し、過剰な依存性による長期的なメンテナンスコストとセキュリティリスクを回避。

dependency-managementgo-modulessecuritycode-qualityGitHub
インストール方法
npx skills add https://github.com/samber/cc-skills-golang --skill golang-dependency-management
compare_arrows

Before / After 効果比較

1
使用前

機能要件に遭遇すると、直接サードパーティライブラリを検索し、大量の外部依存関係を導入します。その後、セキュリティ脆弱性を修正するために頻繁な更新が必要になります。特定の依存関係がメンテナンスを停止すると、プロジェクト全体のアップグレードが困難になり、依存関係の競合が多くの時間を消費します。

使用後

まず、標準ライブラリが要件を満たしているか評価します。必要な場合にのみ検証済みの外部パッケージを導入し、各依存関係のビジネス上の理由を記録します。依存関係の数が60%削減され、Goバージョンのアップグレード時に互換性の問題はありません。

SKILL.md

golang-dependency-management

Persona: You are a Go dependency steward. You treat every new dependency as a long-term maintenance commitment — you ask whether the standard library already solves the problem before reaching for an external package.

Go Dependency Management

AI Agent Rule: Ask Before Adding Dependencies

Before running go get to add any new dependency, AI agents MUST ask the user for confirmation. AI agents can suggest packages that are unmaintained, low-quality, or unnecessary when the standard library already provides equivalent functionality. Using go get -u to upgrade an existing dependency is safe.

Before proposing a dependency, evaluate:

  • Does the standard library already cover the use case?

  • Is the license compatible?

  • Are there well-known alternatives?

  • What it does and why it's needed?

The samber/cc-skills-golang@golang-popular-libraries skill contains a curated list of vetted, production-ready libraries. Prefer recommending packages from that list. When no vetted option exists, favor well-known packages from the Go team (golang.org/x/...) or established organizations over obscure alternatives.

Key Rules

  • go.sum MUST be committed — it records cryptographic checksums of every dependency version, letting go mod verify detect supply-chain tampering. Without it, a compromised proxy could silently substitute malicious code

  • govulncheck ./... before every release — catches known CVEs in your dependency tree before they reach production

  • Check maintenance status, license, and stdlib alternatives before adding a dependency — every dependency increases attack surface, maintenance burden, and binary size

  • go mod tidy before every commit that changes dependencies — removes unused modules and adds missing ones, keeping go.mod honest

go.mod & go.sum

Essential Commands

Command Purpose

go mod tidy Add missing deps, remove unused ones

go mod download Download modules to local cache

go mod verify Verify cached modules match go.sum checksums

go mod vendor Copy deps into vendor/ directory

go mod edit Edit go.mod programmatically (scripts, CI)

go mod graph Print the module requirement graph

go mod why Explain why a module or package is needed

Vendoring

Use go mod vendor when you need hermetic builds (no network access), reproducibility guarantees beyond checksums, or when deploying to environments without module proxy access. CI pipelines and Docker builds sometimes benefit from vendoring. Run go mod vendor after any dependency change and commit the vendor/ directory.

Installing & Upgrading Dependencies

Adding a Dependency

go get github.com/pkg/errors           # Latest version
go get github.com/pkg/errors@v0.9.1    # Specific version
go get github.com/pkg/errors@latest    # Explicitly latest
go get github.com/pkg/errors@master    # Specific branch (pseudo-version)

Upgrading

go get -u ./...            # Upgrade ALL direct+indirect deps to latest minor/patch
go get -u=patch ./...      # Upgrade to latest patch only (safer)
go get github.com/pkg@v1.5 # Upgrade specific package

Prefer go get -u=patch for routine updates — patch versions change no public API (semver promise), so they're unlikely to break your build. Minor version upgrades may add new APIs but can also deprecate or change behavior unexpectedly.

Removing a Dependency

go get github.com/pkg/errors@none   # Mark for removal
go mod tidy                          # Clean up go.mod and go.sum

Installing CLI Tools

go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest

go install builds and installs a binary to $GOPATH/bin. Use @latest or a specific version tag — never @master for tools you depend on.

The tools.go Pattern

Pin tool versions in your module without importing them in production code:

//go:build tools

package tools

import (
    _ "github.com/golangci/golangci-lint/cmd/golangci-lint"
    _ "golang.org/x/vuln/cmd/govulncheck"
)

The build constraint ensures this file is never compiled. The blank imports keep the tools in go.mod so go install uses the pinned version. Run go mod tidy after creating this file.

Deep Dives

Versioning & MVS — Semantic versioning rules (major.minor.patch), when to increment each number, pre-release versions, the Minimal Version Selection (MVS) algorithm (why you can't just pick "latest"), and major version suffix conventions (v0, v1, v2 suffixes for breaking changes).

Auditing Dependencies — Vulnerability scanning with govulncheck, tracking outdated dependencies, analyzing which dependencies make the binary large (goweight), and distinguishing test-only vs binary dependencies to keep go.mod clean.

Dependency Conflicts & Resolution — Diagnosing version conflicts (what go get does when you request incompatible versions), resolution strategies (replace directives for local development, exclude for broken versions, retract for published versions that should be skipped), and workflows for conflicts across your dependency tree.

Go Workspacesgo.work files for multi-module development (e.g., library + example application), when to use workspaces vs monorepos, and workspace best practices.

Automated Dependency Updates — Setting up Dependabot or Renovate for automatic dependency update PRs, auto-merge strategies (when to merge automatically vs require review), and handling security updates.

Visualizing the Dependency Graphgo mod graph to inspect the full dependency tree, modgraphviz to visualize it, and interactive tools to find which dependency chains cause bloat.

Cross-References

  • → See samber/cc-skills-golang@golang-continuous-integration skill for Dependabot/Renovate CI setup

  • → See samber/cc-skills-golang@golang-security skill for vulnerability scanning with govulncheck

  • → See samber/cc-skills-golang@golang-popular-libraries skill for vetted library recommendations

Quick Reference

# Start a new module
go mod init github.com/user/project

# Add a dependency
go get github.com/pkg/errors@v0.9.1

# Upgrade all deps (patch only, safer)
go get -u=patch ./...

# Remove unused deps
go mod tidy

# Check for vulnerabilities
govulncheck ./...

# Check for outdated deps
go list -u -m -json all | go-mod-outdated -update -direct

# Analyze binary size by dependency
goweight

# Understand why a dep exists
go mod why -m github.com/some/module

# Visualize dependency graph
go mod graph | modgraphviz | dot -Tpng -o deps.png

# Verify checksums
go mod verify

Weekly Installs724Repositorysamber/cc-skills-golangGitHub Stars1.1KFirst SeenMar 22, 2026Security AuditsGen Agent Trust HubPassSocketPassSnykWarnInstalled onopencode688cursor682codex678gemini-cli676github-copilot675amp674

ユーザーレビュー (0)

レビューを書く

効果
使いやすさ
ドキュメント
互換性

レビューなし

統計データ

インストール数32.4K
評価4.6 / 5.0
バージョン
更新日2026年7月9日
比較事例1 件

ユーザー評価

4.6(20)
5
30%
4
55%
3
15%
2
0%
1
0%

この Skill を評価

0.0

対応プラットフォーム

🔧Claude Code

タイムライン

作成2026年4月9日
最終更新2026年7月9日
🎁 Agent 知識カード
アンケート