Over a million developers have joined DZone.

How Outdated Are Your Dependencies?

DZone's Guide to

How Outdated Are Your Dependencies?

Dependency management is vital in any app. Learn some lessons on how you can do it right with Go.

· DevOps Zone
Free Resource

The DevOps Zone is brought to you in partnership with Sonatype Nexus. The Nexus Suite helps scale your DevOps delivery with continuous component intelligence integrated into development tools, including Eclipse, IntelliJ, Jenkins, Bamboo, SonarQube and more. Schedule a demo today

Wouldn't it be nice to know how up to date your Go dependencies are? In some languages there are tools that cover this. In some cases they go so far as to look at security reports to know where there are security issues in dependencies. A good example of this is David which provides insight into Nodejs projects.

I wanted something similar for Go. Without going to the same extent as David, at this point, I'd like to present Glide Report.

Review Your Go Dependencies

Glide Report, which is a plugin for Glide that currently works stand alone as well, will scan a codebase, look at repositories, gather information, and provide a report based on some rules.

Installing it, while currently in alpha is done with:

$ go get -u github.com/Masterminds/glide-report 

You can run it from the root of a project with the command:

$ glide report 

There is, currently, one flag of -no-color that can be used to remove color. This is useful when we want to copy from non-terminal environments. macOS example:

$ glide report -no-color | pbcopy 

This will generate the report and copy the report, skipping the informational messages, to the clipboard.

The output, which you can see the beginning of below, will show the difference between direct and transitive dependencies.

glide-report example

For examples you can see reports on Kubernetes and runC.

What If You Don't Use Glide?

Glide has the ability to import from Godep, GPM, GOM, and GB. If your project is managed by one of them you use Glide Report. For example,

$ glide-report 

This will detect missing glide.yaml and glide.lock files. It will then attempt to create them without making any alterations to your vendor/ folder. If that's successful it will generate a report.

Just The Start

This is just the start. Being able to gain insight on our Go dependencies is useful and we can do more. If you'd like to contribute to Glide Report we'd love to have the contributions and feedback.

I also hope other tools come along in this space. There's ample opportunity and I look forward to folks jumping on it.

The DevOps Zone is brought to you in partnership with Sonatype Nexus. Use the Nexus Suite to automate your software supply chain and ensure you're using the highest quality open source components at every step of the development lifecycle. Get Nexus today

go ,dependency management

Published at DZone with permission of Matt Farina, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}