collection of Go packages,
stored in a file tree,
with a go.mod file at its root
How did we got here?
All our dependencies should live under $GOPATH
Install them with go get
Everytime we build our application, the latest version of our dependencies would be installed.
What if someone introduced a breaking change...
... or decides to delete their repo?
This means that whenever we run the go command it would look for our dependencies under ./vendor
People started building tools around that
Describe your dependencies and their version in a manifest file
Run a simple command to download them into the vendor folder
Describes the dependencies and their versions
Developers are adviced to publish different modules for their different major version
This is easy, because Go modules allows to have modules in a sub-directory of other modules
Along with go.mod we also have go.sum file. This contains the checksums of all our dependencies
Therefore, if we try to download a source and the repository is compromised we will know the downloaded version does not match the expected one
The Go team released a public registry , which will contain the checksums of all the version of all the public modules available
Anothing thing which was introduces was $GOPROXY. If this environment variable is set, the modules will be downloaded from there
The Go team already released the offical Golang proxy