Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
github.com/tools/godep
Please use dep or another tool instead.
The rest of this readme is preserved for those that may still need its contents.
godep helps build packages reproducibly by fixing their dependencies.
This tool assumes you are working in a standard Go workspace, as described here. We expect godep to build on Go 1.4* or newer, but you can use it on any project that works with Go 1 or newer.
Please check the FAQ if you have a question.
The Go community now has the dep project to manage dependencies. Please consider trying to migrate from Godep to dep. If there is an issue preventing you from migrating please file an issue with dep so the problem can be corrected. Godep will continue to be supported for some time but is considered to be in a state of support rather than active feature development.
go get github.com/tools/godep
Assuming you've got everything working already, so you can build your project
with go install
and test it with go test
, it's one command to start using:
godep save
This will save a list of dependencies to the file Godeps/Godeps.json
and copy
their source code into vendor/
(or Godeps/_workspace/
when using older
versions of Go). Godep does not copy:
*_test.go
files.testdata
directories.Godep does not process the imports of .go
files with either the ignore
or appengine
build tags.
Test files and testdata directories can be saved by adding -t
.
Read over the contents of vendor/
and make sure it looks reasonable. Then
commit the Godeps/
and vendor/
directories to version control.
-r
flagFor older versions of Go, the -r
flag tells save to automatically rewrite
package import paths. This allows your code to refer directly to the copied
dependencies in Godeps/_workspace
. So, a package C that depends on package
D will actually import C/Godeps/_workspace/src/D
. This makes C's repo
self-contained and causes go get
to build C with the right version of all
dependencies.
If you don't use -r
, when using older version of Go, then in order to use the
fixed dependencies and get reproducible builds, you must make sure that every
time you run a Go-related command, you wrap it in one of these two ways:
go
, run it as godep go ...
, e.g.
godep go install -v ./...
$GOPATH
using godep path
as
described below.-r
isn't necessary with go1.6+ and isn't allowed.
The godep restore
installs the
package versions specified in Godeps/Godeps.json
to your $GOPATH
. This
modifies the state of packages in your $GOPATH
. NOTE: godep restore
leaves
git repositories in a detached state. go1.6
+ no longer checks out the master
branch when doing a go get
, see here.
If you run
godep restore
in your main$GOPATH
go get -u
will fail on packages that are behind master.
Please see the FAQ section about restore.
godep go test
To add a new package foo/bar, do this:
go get foo/bar
godep save
(or godep save ./...
).To update a package from your $GOPATH
, do this:
go get -u foo/bar
godep update foo/bar
.You can use the ...
wildcard, for example godep update foo/...
. Before comitting the change, you'll probably want to
inspect the changes to Godeps, for example with git diff
, and make sure it looks reasonable.
If your repository has more than one package, you're probably accustomed to
running commands like go test ./...
, go install ./...
, and go fmt ./...
.
Similarly, you should run godep save ./...
to capture the dependencies of all
packages in your application.
Godeps is a json file with the following structure:
type Godeps struct {
ImportPath string
GoVersion string // Abridged output of 'go version'.
GodepVersion string // Abridged output of 'godep version'
Packages []string // Arguments to godep save, if any.
Deps []struct {
ImportPath string
Comment string // Description of commit, if present.
Rev string // VCS-specific commit ID.
}
}
Example Godeps:
{
"ImportPath": "github.com/kr/hk",
"GoVersion": "go1.6",
"Deps": [
{
"ImportPath": "code.google.com/p/go-netrc/netrc",
"Rev": "28676070ab99"
},
{
"ImportPath": "github.com/kr/binarydist",
"Rev": "3380ade90f8b0dfa3e363fd7d7e941fa857d0d13"
}
]
}
Godep supports the Go 1.5+ vendor/
experiment
utilizing the same environment variable that the go tooling itself supports
(GO15VENDOREXPERIMENT
).
godep mostly works the same way as the go
command line tool. If you have go
1.5.X and set GO15VENDOREXPERIMENT=1
or have go1.6.X (or devel) vendor/
is enabled. Unless you already have a Godeps/_workspace
. This is a safety
feature and godep warns you about this.
When vendor/
is enabled godep will write the vendored code into the top level
./vendor/
directory. A ./Godeps/Godeps.json
file is created to track
the dependencies and revisions. vendor/
is not compatible with rewrites.
There is currently no automated migration between the old Godeps workspace and the vendor directory, but the following steps should work:
# just to be safe
$ unset GO15VENDOREXPERIMENT
# restore currently vendored deps to the $GOPATH
$ godep restore
# The next line is only needed to automatically undo rewritten imports that were
# created with godep save -r.
$ godep save -r=false <pkg spec>
# Remove the old Godeps folder
$ rm -rf Godeps
# If on go1.5.X to enable `vendor/`
$ export GO15VENDOREXPERIMENT=1
# re-analyze deps and save to `vendor/`.
$ godep save <pkg spec>
# Add the changes to your VCS
$ git add -A . ; git commit -am "Godep workspace -> vendor/"
# You should see your Godeps/_workspace/src files "moved" to vendor/.
version.go
.Changelog.md
.FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.