I used to think this too, but the more I use Go the more I enjoy not needing to maintain a silly manifest

I keep meaning to spend some time playing with Go, but I haven't yet so I don't know how that feels. However, I wonder what it says that several dependency management tools have emerged for Go.

https://github.com/mattn/gom

https://github.com/nitrous-io/goop

https://github.com/tools/godep

> However, I wonder what it says that several dependency management tools have emerged for Go.

In the case of Go, it's more meaningful to note that most larger Go projects have been developed for quite some time without needing any of these tools.

If you need specific versions, the standard, idiomatic Go approach is to vendor your dependencies. Google, for example, does not use any Go-specific tool for vendoring IIRC. The last tool you mentioned, Godep, is one Go-specific approach at vendoring. It's also the one that I have anecdotally heard recommended, but this comes with absolutely zero personal experience and is solely hearsay.

But most projects don't even need to vendor - I've been writing Go as my primary language for almost 2 years both at work and for personal use, and I have never once needed godep. YMMV, obviously.

(Looking at tools that exist isn't meaningful in se, because people will try to build libraries to replicate pattern from other languages whether or not they apply. They will look for what they're familiar with, see that it's "missing", and then decide to write one, rather than questioning whether that idiom is actually appropriate for this new language.)

Fair enough that the existence of tools isn't really indicative of anything. Although at least the three I mentioned have a few hundred stars on GH which suggests some people are actually using them.

Anyway, thanks for sharing your experience! Your comment suggests to mean that you haven't had the need to fix the versions of any of your dependencies. Is that really true? I would find that quite surprising given that you've been coding in Go for a couple years.

> If you need specific versions,

Who doesn't need this? Do you really want different people on your team accidentally using different versions of dependencies?

> the standard, idiomatic Go approach is to vendor your dependencies.

How does that work with transitive dependencies? Do you vendor those too?

> Google, for example, does not use any Go-specific tool for vendoring IIRC.

How much third-party code does Google actually use?

    >  Do you vendor [transitive dependencies] too?

Yes. Here's an example: https://github.com/soundcloud/roshi

That sounds like a nightmare to maintain. :(

It's trivial.

Then when you need to pin down versions and such, it's a massive pain (in terms of not being able to have a manifest file in Go's native case).

Pote's GVP/GPM works really well here. It's such a small system to learn and use, but does everything you could ever need when versioning godeps:

https://github.com/pote/gpm && https://github.com/pote/gvp

I think the classic solution of vendoring your dependencies would be the best strategy here.

Just to be clear, you can actually pin down the dependencies by creating a `component.json` manifest and adding the specific versions you want. You'd want to do this when publishing your own components, or when building a large app, but for quickly sketching out ideas you can just require them inline. Basically the manifest is optional, so you can choose when it makes sense to lock things down.

That's cool :) I assume the manifest can be auto-generated by examining the code? In that case, that makes me much more interested.

Not quite yet, but it totally could. We've been talking about trying to find a way to directly pin in the source with the help of a nice CLI instead. So that we can keep having no manifests, but get pinned deps at the same time without having to manually go through them all.