depaware makes you aware of your Go dependencies.
It generates a list of your dependencies which you check in to your repo:
Then you and others can easily see what your dependencies are, how they vary by operating system (the letters L(inux), D(arwin), W(indows) in the left column), and whether they use unsafe/cgo (bomb icon).
Then you hook it up to your CI so it's a build breakage if they're not up to date:
Then during code review you'll see in your review whether/how your dependencies changed, and you can decide whether that's appropriate.
You'll probably want to pin a specific vesion of the depaware tool in your go.mod file that survives a "go mod tidy". You can add a file like this to your project:
The depaware command makes you aware of your dependencies by putting them in your face in git and during code review.
The idea is that you store the depaware output next to any desired packages or binaries and check them in to git, making it a CI failure if they're out of date, and thus make you aware of dependency changes during code review.
Package depaware is the guts of the depaware program.
|Package depaware is the guts of the depaware program.|