Security News
Opengrep Emerges as Open Source Alternative Amid Semgrep Licensing Controversy
Opengrep forks Semgrep to preserve open source SAST in response to controversial licensing changes.
github.com/Masterminds/glide
Are you used to tools such as Cargo, npm, Composer, Nuget, Pip, Maven, Bundler, or other modern package managers? If so, Glide is the comparable Go tool.
Manage your vendor and vendored packages with ease. Glide is a tool for
managing the vendor
directory within a Go package. This feature, first
introduced in Go 1.5, allows each package to have a vendor
directory
containing dependent packages for the project. These vendor packages can be
installed by a tool (e.g. glide), similar to go get
or they can be vendored and
distributed with the package.
The Go community is now using Go Modules to handle dependencies. Please consider using that instead of Glide. Glide is now mostly unmaintained.
github.com/Masterminds/semver
package can parse can be used.go
toolsGlide scans the source code of your application or library to determine the needed
dependencies. To determine the versions and locations (such as aliases for forks)
Glide reads a glide.yaml
file with the rules. With this information Glide retrieves
needed dependencies.
When a dependent package is encountered its imports are scanned to determine
dependencies of dependencies (transitive dependencies). If the dependent project
contains a glide.yaml
file that information is used to help determine the
dependency rules when fetching from a location or version to use. Configuration
from Godep, GB, GOM, and GPM is also imported.
The dependencies are exported to the vendor/
directory where the go
tools
can find and use them. A glide.lock
file is generated containing all the
dependencies, including transitive ones.
The glide init
command can be use to setup a new project, glide update
regenerates the dependency versions using scanning and rules, and glide install
will install the versions listed in the glide.lock
file, skipping scanning,
unless the glide.lock
file is not found in which case it will perform an update.
A project is structured like this:
- $GOPATH/src/myProject (Your project)
|
|-- glide.yaml
|
|-- glide.lock
|
|-- main.go (Your main go code can live here)
|
|-- mySubpackage (You can create your own subpackages, too)
| |
| |-- foo.go
|
|-- vendor
|-- github.com
|
|-- Masterminds
|
|-- ... etc.
Take a look at the Glide source code to see this philosophy in action.
The easiest way to install the latest release on Mac or Linux is with the following script:
curl https://glide.sh/get | sh
On Mac OS X you can also install the latest release via Homebrew:
$ brew install glide
On Ubuntu Precise (12.04), Trusty (14.04), Wily (15.10) or Xenial (16.04) you can install from our PPA:
sudo add-apt-repository ppa:masterminds/glide && sudo apt-get update
sudo apt-get install glide
On Ubuntu Zesty (17.04) the package is called golang-glide
.
Binary packages are available for Mac, Linux and Windows.
For a development version it is also possible to go get github.com/Masterminds/glide
.
To build from source you can:
$GOPATH/src/github.com/Masterminds/glide
and
change directory into itexport GO15VENDOREXPERIMENT=1
. In Go 1.6 it is enabled by default and
in Go 1.7 it is always enabled without the ability to turn it off.make build
This will leave you with ./glide
, which you can put in your $PATH
if
you'd like. (You can also take a look at make install
to install for
you.)
The Glide repo has now been configured to use glide to manage itself, too.
$ glide create # Start a new workspace
$ open glide.yaml # and edit away!
$ glide get github.com/Masterminds/cookoo # Get a package and add to glide.yaml
$ glide install # Install packages and dependencies
# work, work, work
$ go build # Go tools work normally
$ glide up # Update to newest versions of the package
Check out the glide.yaml
in this directory, or examples in the docs/
directory.
Initialize a new workspace. Among other things, this creates a glide.yaml
file
while attempting to guess the packages and versions to put in it. For example,
if your project is using Godep it will use the versions specified there. Glide
is smart enough to scan your codebase and detect the imports being used whether
they are specified with another package manager or not.
$ glide create
[INFO] Generating a YAML configuration file and guessing the dependencies
[INFO] Attempting to import from other package managers (use --skip-import to skip)
[INFO] Scanning code to look for dependencies
[INFO] --> Found reference to github.com/Masterminds/semver
[INFO] --> Found reference to github.com/Masterminds/vcs
[INFO] --> Found reference to github.com/codegangsta/cli
[INFO] --> Found reference to gopkg.in/yaml.v2
[INFO] Writing configuration file (glide.yaml)
[INFO] Would you like Glide to help you find ways to improve your glide.yaml configuration?
[INFO] If you want to revisit this step you can use the config-wizard command at any time.
[INFO] Yes (Y) or No (N)?
n
[INFO] You can now edit the glide.yaml file. Consider:
[INFO] --> Using versions and ranges. See https://glide.sh/docs/versions/
[INFO] --> Adding additional metadata. See https://glide.sh/docs/glide.yaml/
[INFO] --> Running the config-wizard command to improve the versions in your configuration
The config-wizard
, noted here, can be run here or manually run at a later time.
This wizard helps you figure out versions and ranges you can use for your
dependencies.
This runs a wizard that scans your dependencies and retrieves information on them to offer up suggestions that you can interactively choose. For example, it can discover if a dependency uses semantic versions and help you choose the version ranges to use.
You can download one or more packages to your vendor
directory and have it added to your
glide.yaml
file with glide get
.
$ glide get github.com/Masterminds/cookoo
When glide get
is used it will introspect the listed package to resolve its
dependencies including using Godep, GPM, Gom, and GB config files.
Download or update all of the libraries listed in the glide.yaml
file and put
them in the vendor
directory. It will also recursively walk through the
dependency packages to fetch anything that's needed and read in any configuration.
$ glide up
This will recurse over the packages looking for other projects managed by Glide, Godep, gb, gom, and GPM. When one is found those packages will be installed as needed.
A glide.lock
file will be created or updated with the dependencies pinned to
specific versions. For example, if in the glide.yaml
file a version was
specified as a range (e.g., ^1.2.3
) it will be set to a specific commit id in
the glide.lock
file. That allows for reproducible installs (see glide install
).
To remove any nested vendor/
directories from fetched packages see the -v
flag.
When you want to install the specific versions from the glide.lock
file use
glide install
.
$ glide install
This will read the glide.lock
file and install the commit id specific versions
there.
When the glide.lock
file doesn't tie to the glide.yaml
file, such as there
being a change, it will provide a warning. Running glide up
will recreate the
glide.lock
file when updating the dependency tree.
If no glide.lock
file is present glide install
will perform an update
and
generate a lock file.
To remove any nested vendor/
directories from fetched packages see the -v
flag.
When you run commands like go test ./...
it will iterate over all the
subdirectories including the vendor
directory. When you are testing your
application you may want to test your application files without running all the
tests of your dependencies and their dependencies. This is where the novendor
command comes in. It lists all of the directories except vendor
.
$ go test $(glide novendor)
This will run go test
over all directories of your project except the
vendor
directory.
When you're scripting with Glide there are occasions where you need to know
the name of the package you're working on. glide name
returns the name of the
package listed in the glide.yaml
file.
Glide includes a few commands that inspect code and give you details
about what is imported. glide tree
is one such command. Running it
gives data like this:
$ glide tree
github.com/Masterminds/glide
github.com/Masterminds/cookoo (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/cookoo)
github.com/Masterminds/cookoo/io (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/cookoo/io)
github.com/Masterminds/glide/cmd (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/cmd)
github.com/Masterminds/cookoo (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/cookoo)
github.com/Masterminds/cookoo/io (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/cookoo/io)
github.com/Masterminds/glide/gb (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/gb)
github.com/Masterminds/glide/util (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/util)
github.com/Masterminds/vcs (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/vcs)
github.com/Masterminds/glide/yaml (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/yaml)
github.com/Masterminds/glide/util (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/util)
github.com/Masterminds/vcs (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/vcs)
github.com/Masterminds/vcs (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/vcs)
gopkg.in/yaml.v2 (/Users/mfarina/Code/go/src/gopkg.in/yaml.v2)
github.com/Masterminds/semver (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/semver)
github.com/Masterminds/vcs (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/vcs)
github.com/codegangsta/cli (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/codegangsta/cli)
github.com/codegangsta/cli (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/codegangsta/cli)
github.com/Masterminds/cookoo (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/cookoo)
github.com/Masterminds/cookoo/io (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/cookoo/io)
github.com/Masterminds/glide/gb (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/gb)
github.com/Masterminds/glide/util (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/util)
github.com/Masterminds/vcs (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/vcs)
github.com/Masterminds/glide/yaml (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/yaml)
github.com/Masterminds/glide/util (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/util)
github.com/Masterminds/vcs (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/vcs)
github.com/Masterminds/vcs (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/vcs)
gopkg.in/yaml.v2 (/Users/mfarina/Code/go/src/gopkg.in/yaml.v2)
github.com/Masterminds/semver (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/semver)
github.com/Masterminds/vcs (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/Masterminds/vcs)
github.com/codegangsta/cli (/Users/mfarina/Code/go/src/github.com/Masterminds/glide/vendor/github.com/codegangsta/cli)
This shows a tree of imports, excluding core libraries. Because
vendoring makes it possible for the same package to live in multiple
places, glide tree
also prints the location of the package being
imported.
This command is deprecated and will be removed in the near future.
Glide's list
command shows an alphabetized list of all the packages
that a project imports.
$ glide list
INSTALLED packages:
vendor/github.com/Masterminds/cookoo
vendor/github.com/Masterminds/cookoo/fmt
vendor/github.com/Masterminds/cookoo/io
vendor/github.com/Masterminds/cookoo/web
vendor/github.com/Masterminds/semver
vendor/github.com/Masterminds/vcs
vendor/github.com/codegangsta/cli
vendor/gopkg.in/yaml.v2
Print the glide help.
$ glide help
Print the version and exit.
$ glide --version
glide version 0.12.0
For full details on the glide.yaml
files see the documentation.
The glide.yaml
file does two critical things:
A brief glide.yaml
file looks like this:
package: github.com/Masterminds/glide
import:
- package: github.com/Masterminds/semver
- package: github.com/Masterminds/cookoo
version: ^1.2.0
repo: git@github.com:Masterminds/cookoo.git
The above tells glide
that...
github.com/Masterminds/glide
The first library exemplifies a minimal package import. It merely gives the fully qualified import path.
When Glide reads the definition for the second library, it will get the repo
from the source in repo
, checkout the latest version between 1.2.0 and 2.0.0,
and put it in github.com/Masterminds/cookoo
in the vendor
directory. (Note
that package
and repo
can be completely different)
TIP: The version is either VCS dependent and can be anything that can be checked
out or a semantic version constraint that can be parsed by the github.com/ Masterminds/semver
package.
For example, with Git this can be a branch, tag, or hash. This varies and
depends on what's supported in the VCS.
TIP: In general, you are advised to use the base package name for
importing a package, not a subpackage name. For example, use
github.com/kylelemons/go-gypsy
and not
github.com/kylelemons/go-gypsy/yaml
.
The Git, SVN, Mercurial (Hg), and Bzr source control systems are supported. This happens through the vcs package.
In Go every directory is a package. This works well when you have one repo containing all of your packages. When you have different packages in different VCS locations things become a bit more complicated. A project containing a collection of packages should be handled with the same information including the version. By grouping packages this way we are able to manage the related information.
These are works in progress, and may need some additional tuning. Please take a look at the vcs package. If you see a better way to handle it please let us know.
vendor/
into version control?That's up to you. It's not necessary, but it may also cause you extra work and lots of extra space in your VCS. There may also be unforeseen errors (see an example).
There are two parts to importing.
glide import
command. For example, you can run glide import godep
for
Glide to detect the projects Godep configuration and generate a glide.yaml
file for you.Each of these will merge your existing glide.yaml
file with the
dependencies it finds for those managers, and then emit the file as
output. It will not overwrite your glide.yaml file.
You can write it to file like this:
$ glide import godep -f glide.yaml
A: Yes. Using the os
and arch
fields on a package
, you can specify
which OSes and architectures the package should be fetched for. For
example, the following package will only be fetched for 64-bit
Darwin/OSX systems:
- package: some/package
os:
- darwin
arch:
- amd64
The package will not be fetched for other architectures or OSes.
This package is made available under an MIT-style license. See LICENSE.txt.
We owe a huge debt of gratitude to the GPM and
GVP projects, which
inspired many of the features of this package. If glide
isn't the
right Go project manager for you, check out those.
The Composer (PHP), npm (JavaScript), and Bundler (Ruby) projects all inspired various aspects of this tool, as well.
Aside from being catchy, "glide" is a contraction of "Go Elide". The idea is to compress the tasks that normally take us lots of time into a just a few seconds.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Opengrep forks Semgrep to preserve open source SAST in response to controversial licensing changes.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.