golang-dependency-management
This Claude Code skill provides guidance for managing Go project dependencies through go.mod files, version control, and vulnerability scanning. Use it when adding, removing, or upgrading Go packages, performing security audits, resolving version conflicts, configuring automated dependency updates, or analyzing binary size impacts.
git clone --depth 1 https://github.com/samber/cc-skills-golang /tmp/golang-dependency-management && cp -r /tmp/golang-dependency-management/skills/golang-dependency-management ~/.claude/skills/golang-dependency-managementSKILL.md
**Persona:** You are a Go dependency steward. You treat every new dependency as a long-term maintenance commitment — you ask whether the standard library already solves the problem before reaching for an external package.
**Dependencies:**
- govulncheck: `go install golang.org/x/vuln/cmd/govulncheck@latest`
# Go Dependency Management
## AI Agent Rule: Ask Before Adding Dependencies
**Before running `go get` to add any new dependency, AI agents MUST ask the user for confirmation.** AI agents can suggest packages that are unmaintained, low-quality, or unnecessary when the standard library already provides equivalent functionality. Using `go get -u` to upgrade an existing dependency is safe.
Before proposing a dependency, evaluate:
- Does the standard library already cover the use case?
- Is the license compatible?
- Are there well-known alternatives?
- What it does and why it's needed?
The `samber/cc-skills-golang@golang-popular-libraries` skill contains a curated list of vetted, production-ready libraries. Prefer recommending packages from that list. When no vetted option exists, favor well-known packages from the Go team (`golang.org/x/...`) or established organizations over obscure alternatives.
## Key Rules
- `go.sum` MUST be committed — it records cryptographic checksums of every dependency version, letting `go mod verify` detect supply-chain tampering. Without it, a compromised proxy could silently substitute malicious code
- `govulncheck ./...` or `go tool govulncheck ./...` before every release — catches known CVEs in your dependency tree before they reach production
- Maintenance status, license compatibility, and stdlib alternatives are important considerations before adding a dependency — every dependency increases attack surface, maintenance burden, and binary size
- `go mod tidy` before every commit that changes dependencies — removes unused modules and adds missing ones, keeping go.mod honest
## go.mod & go.sum
### Essential Commands
| Command | Purpose |
| ----------------- | -------------------------------------------- |
| `go mod tidy` | Add missing deps, remove unused ones |
| `go mod download` | Download modules to local cache |
| `go mod verify` | Verify cached modules match go.sum checksums |
| `go mod vendor` | Copy deps into `vendor/` directory |
| `go mod edit` | Edit go.mod programmatically (scripts, CI) |
| `go mod graph` | Print the module requirement graph |
| `go mod why` | Explain why a module or package is needed |
### Vendoring
Use `go mod vendor` when you need hermetic builds (no network access), reproducibility guarantees beyond checksums, or when deploying to environments without module proxy access. CI pipelines and Docker builds sometimes benefit from vendoring. Run `go mod vendor` after any dependency change and commit the `vendor/` directory.
## Installing & Upgrading Dependencies
### Adding a Dependency
```bash
go get github.com/google/uuid # Latest version
go get github.com/google/uuid@v1.6.0 # Specific version
go get github.com/google/uuid@latest # Explicitly latest
go get github.com/google/uuid@<commit> # Specific commit (pseudo-version)
```
### Upgrading
```bash
go get -u ./... # Upgrade ALL direct+indirect deps to latest minor/patch
go get -u=patch ./... # Upgrade to latest patch only (safer)
go get github.com/pkg@v1.5 # Upgrade specific package
```
**Prefer `go get -u=patch`** for routine updates. Patch and minor updates are usually lower risk than major upgrades, but still require review. For dependency updates, run:
```bash
go get -u=patch ./...
go mod tidy
go test ./...
go vet ./...
govulncheck ./... # or: go tool govulncheck ./...
```
Release notes and changelogs for libraries affecting persistence, serialization, networking, authentication, authorization, cryptography, or public APIs may contain important information about breaking changes.
### Removing a Dependency
```bash
go get github.com/google/uuid@none # Mark for removal
go mod tidy # Clean up go.mod and go.sum
```
### Installing CLI Tools
For Go 1.24+ modules, pin executable tools in `go.mod` with `tool` directives. Do not create a new `tools.go` blank-import file unless the module must support Go <1.24.
```bash
# Add tools to the current module.
go get -tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
go get -tool golang.org/x/vuln/cmd/govulncheck@latest
go get -tool golang.org/x/perf/cmd/benchstat@latest
# Run pinned tools reproducibly.
go tool golangci-lint run ./...
go tool govulncheck ./...
go tool benchstat old.txt new.txt
# Install all module-pinned tools into GOBIN/PATH when needed.
go install tool
# Update pinned tools deliberately, then review go.mod/go.sum.
go get -u tool
go mod tidy
```
`go.mod` shape for a module targeting Go 1.26 or newer. This is an example target, not a cap; keep the project's actual `go` directive and do not change it just to add tools.
```go.mod
module example.com/project
go 1.26
tool (
github.com/golangci/golangci-lint/v2/cmd/golangci-lint
golang.org/x/vuln/cmd/govulncheck
golang.org/x/perf/cmd/benchstat
)
```
For Go <1.24 only, use the legacy `tools.go` blank-import workaround:
```go
//go:build tools
package tools
import (
_ "github.com/golangci/golangci-lint/v2/cmd/golangci-lint"
_ "golang.org/x/vuln/cmd/govulncheck"
)
```
Rule: Go 1.24+ = `tool` directives. Go <1.24 = `tools.go` fallback.
### Go 1.26+ module target note
When using a Go 1.26 or newer toolchain, `go mod init` may create a module with an older default `go` directive. If the project intentionally targets Go 1.26+ APIs, update the directive deliberately:
```bash
go mod edit -go=1.26
go mod tidy
```
For future Go versions, use the project's intended target version. Do not use APIs newer than the module's `go` directive until the projecGolang benchmarking, profiling, and performance measurement. Use when writing, running, or comparing Go benchmarks, profiling hot paths with pprof, interpreting CPU/memory/trace profiles, analyzing results with benchstat, setting up CI benchmark regression detection, or investigating production performance with Prometheus runtime metrics. Also use when the developer needs deep analysis on a specific performance indicator - this skill provides the measurement methodology, while `samber/cc-skills-golang@golang-performance` provides the optimization patterns.
Golang CLI application development. Use when building, modifying, or reviewing a Go CLI tool — especially for command structure, flag handling, configuration layering, version embedding, exit codes, I/O patterns, signal handling, shell completion, argument validation, and CLI unit testing. Also triggers when code uses cobra, viper, or urfave/cli. For cobra-specific APIs → See `samber/cc-skills-golang@golang-spf13-cobra` skill; for viper configuration layering → See `samber/cc-skills-golang@golang-spf13-viper` skill.
Golang code style conventions — line length and breaking, variable declarations, control flow clarity, when comments help vs hurt. Use when writing or reviewing Go code, asking about style or clarity, or establishing project coding standards. Not for naming conventions (→ See `samber/cc-skills-golang@golang-naming` skill), linter configuration (→ See `samber/cc-skills-golang@golang-lint` skill), or doc comments (→ See `samber/cc-skills-golang@golang-documentation` skill).
Golang concurrency patterns. Use when writing or reviewing concurrent Go code involving goroutines, channels, select, locks, sync primitives, errgroup, singleflight, worker pools, or fan-out/fan-in pipelines. Also triggers when you detect goroutine leaks, race conditions, channel ownership issues, or need to choose between channels and mutexes.
Idiomatic context.Context usage in Golang — propagation through API boundaries, cancellation, timeouts and deadlines, request-scoped values, context.WithoutCancel for background work outliving requests. Apply when designing context propagation across layers, debugging leaked or unexpired contexts, choosing between context.Background/TODO/WithoutCancel, or storing values in context. Not for code that merely accepts ctx as first parameter.
CI/CD pipeline configuration using GitHub Actions for Golang projects — testing, linting, SAST, security scanning, code coverage, Dependabot, Renovate, GoReleaser, code review automation, and release pipelines. Use when setting up or improving Go project CI, configuring GitHub Actions workflows, adding linters or security scanners, automating dependency updates, or adding quality gates.
Golang data structures — slices (internals, capacity growth, preallocation, slices package), maps (internals, hash buckets, maps package), arrays, container/list/heap/ring, strings.Builder vs bytes.Buffer, generic collections, pointers (unsafe.Pointer, weak.Pointer), and copy semantics. Use when choosing or optimizing Go data structures, implementing generic containers, using container/ packages, unsafe or weak pointers, or questioning slice/map internals.
Comprehensive guide for Go database access — parameterized queries, struct scanning, NULLable columns, transactions, isolation levels, SELECT FOR UPDATE, connection pool, batch processing, context propagation, and migration tooling. Use when writing, reviewing, or debugging Golang code that interacts with PostgreSQL, MariaDB, MySQL, or SQLite; for database testing; or for questions about database/sql, sqlx, or pgx. Does NOT generate database schemas or migration SQL.