Go
Support for Go projects using go.mod.
Table of contents
- Supported Files
- Registry
- Dependency Format
- Version Specification
- Special Cases
- Vulnerability Database
- Example go.mod
- Tooling Integration
- Troubleshooting
Supported Files
| File | Description |
|---|---|
go.mod |
Go module definition |
Registry
Go Module Proxy - Official Go module mirror
- Base URL:
https://proxy.golang.org - Rate limit: Fair use policy (heavily cached)
- Documentation: go.dev
Dependency Format
Direct Dependencies
require (
github.com/gin-gonic/gin v1.9.1
golang.org/x/sync v0.6.0
)
Single Dependency
require github.com/gin-gonic/gin v1.9.1
Indirect Dependencies
require (
github.com/gin-gonic/gin v1.9.1
github.com/go-playground/validator/v10 v10.14.0 // indirect
)
Indirect dependencies are shown with lighter styling.
Version Specification
Go modules use strict semantic versioning:
| Format | Description |
|---|---|
v1.0.0 |
Standard semver |
v1.0.0+incompatible |
Pre-modules package |
v0.0.0-20210101000000-abcdef123456 |
Pseudo-version |
Major Version Paths
Go requires major version suffix for v2+:
require (
github.com/user/repo v1.5.0 // v1.x
github.com/user/repo/v2 v2.1.0 // v2.x
github.com/user/repo/v3 v3.0.0 // v3.x
)
Special Cases
Module Path Encoding
Go module paths use special encoding:
- Uppercase letters are escaped:
Azure→!azure - Dependi handles this automatically
Pseudo-versions
Pseudo-versions reference specific commits:
require github.com/user/repo v0.0.0-20231215000000-abcdef123456
These show → Pseudo hint (no direct update path).
Replace Directives
replace github.com/user/repo => ../local-repo
replace github.com/old/repo => github.com/new/repo v1.0.0
Replace directives show → Replaced hint.
Exclude Directives
exclude github.com/user/repo v1.0.1
Excluded versions are noted but don’t affect hints.
Retracted Versions
Retracted versions in Go show ⊘ Retracted hint (similar to yanked).
Vulnerability Database
Go vulnerabilities are sourced from:
- Go Vulnerability Database
- GitHub Security Advisories
Example go.mod
module github.com/myorg/myproject
go 1.21
require (
github.com/gin-gonic/gin v1.9.1 // ✓
github.com/spf13/cobra v1.7.0 // -> v1.8.0
golang.org/x/sync v0.6.0 // ✓
google.golang.org/grpc v1.59.0 // ✓
)
require (
github.com/bytedance/sonic v1.9.1 // indirect
github.com/gabriel-vasile/mimetype v1.4.2 // indirect
)
Tooling Integration
After updating go.mod with Dependi:
# Update go.sum
go mod tidy
# Verify module graph
go mod verify
# Download dependencies
go mod download
Troubleshooting
Module Not Found
- Verify module path is correct
- Check if module is public or requires authentication
- Ensure
GOPROXYenvironment isn’t blocking
Pseudo-version Updates
Pseudo-versions can’t be directly updated. You need to:
- Find the latest tagged version
- Update manually to the tag
- Or update the commit reference
Version Mismatch
Go modules are strictly versioned. If hints show unexpected versions:
- Check for
replacedirectives - Verify
go.modis in sync withgo.sum - Run
go mod tidyto clean up
Rate Limiting
The Go proxy uses CDN caching. First requests may be slower, but subsequent requests are fast.