0xBF
0xBF

0xBF

Go modules

0xBF's photo
0xBF

Published on Apr 18, 2021

2 min read

When you run go get

The first time you add a dependency to your project, Go will download a specific revision :

  1. A tagged version or,
  2. A tagged prerelease or,
  3. A specific commit

Build mod fetch list

When go fetch dependent packages from go.mod file, it will create the build list:

  1. Initialize an empty list L
  2. Take the list of modules required for the current module (go.mod)
  3. For each module required, get the list of modules required by this module (go.mod) and append those elements to the list L
  4. Repeat the operation for elements appended to the list
  5. In the end, the list may contain multiple entries for the same module path. If so, for each module path, keep the newest version.

To display the final build list of a module, you can type the command :

$ go list -m all

Update module

When you run go get -u, it will download the latest minor version update for that package. If that package has a new major version released, say v2.0, and your project is using v1.x, then the -u won't download the 2.0 version.

When a module switch from v0 or v1 to v2, it should modify its path to comply with the import compatibility rule.

To update all current modules, use:

$ go get -u ./...

You can also update a module to a specific version:

$ go get module_path@X

You can use this to either upgrade or downgrade a module.

go.sum

If you check the file content of go.sum, you will see something like this:

github.com/valyala/fasthttp v1.18.0 h1:IV0DdMlatq9QO1Cr6wGJPVW1sV1Q8HvZXAIcjorylyM=
github.com/valyala/fasthttp v1.18.0/go.mod h1:jjraHZVbKOXftJfsOYoAjaeygpj5hr8ermTRJNroD7A=

For each package, it has 2 listed checksums (The string after h1: shows the base64 of sha256 hash/checksum value of the module and its go.mod file). The purpose is, when you download the module, go needs to make sure you downloaded the correct file and the file is not corrupted. So after it calculated the file sum, it will compare to the package marked sum, if they matched, then you can be pretty sure you downloaded the right file.

One thing needs to be noticed is that, if you was using some module 1.0.0 before, then you upgrade it to 1.0.1, the go.sum file will keep both 1.0.0 and 1.0.1, that is kept on purpose just in case you want to downgrade to the previous 1.0.0 version.

go mod vendor

This command will create a vendor folder with all the sources of your dependencies

Reference

 
Share this