{{ BRANDINGLOGO }}  ![Gologo](Pictures/Go.png)

# Dependency Management

When your code uses external packages, those packages (distributed as modules) become dependencies. Over time, you may need to upgrade them or replace them. Go provides dependency management tools that help you keep your Go applications secure as you incorporate external dependencies.

This topic describes how to perform tasks to manage dependencies you take on in your code. You can perform most of these with Go tools. This topic also describes how to perform a few other dependency-related tasks you might find useful.
In this section, we will cover the following:
- What are Go Modules?
- Initializing a module
- Adding dependencies
- Upgrading dependencies
- Using vendoring
- Handling multiple modules
- Common pitfalls and best practices
- **Security Considerations**

## Go Modules

Go modules are the standard way of managing dependencies in Go. They allow you to specify the versions of libraries that your project depends on. A module is defined by a `go.mod` file in the root of your project.

Each Go project that uses Go modules has its own `go.mod` file, which records the modules' dependencies.

#### Use this command to initialize a new Go module

In [None]:
$ go mod init myproject

This creates a go.mod file with the following content

module myproject

go 1.23.3

The `go.mod` file contains the module name and the Go version used. You can add, remove, and upgrade dependencies using Go commands.

## Adding Dependencies

To add a dependency to your project, simply import it in your code and run `go mod tidy`. Go will automatically download the package and add it to the `go.mod` and `go.sum` files.


The main.go file has uuid package imported. When you will run the below command, go.mod and go.sum file will get updated.

In [None]:
$ go mod tidy

## Upgrading Dependencies

To upgrade an existing dependency to a newer version, use the `go get` command followed by the desired version.

Use this command to update the package to a specific version:

In [None]:
$ go get github.com/google/uuid@v1.3.0

Use this command to update the package to the latest version:

In [None]:
$ go get github.com/google/uuid@latest

## Vendoring Dependencies

Vendoring is the process of copying external dependencies into the project directory. This ensures that the correct version of a dependency is always available, even if it is removed from its source.

To vendor dependencies, run the `go mod vendor` command. It will copy all dependencies to the `vendor/` directory.

Use this command to vendor dependencies:

In [None]:
$ go mod vendor

## Handling Multiple Modules

Go modules make it easy to manage projects with multiple modules. You can link them locally or fetch them from a repository.

To use a local module, you can replace the import path with a local directory.

#### Use this command to replace a dependency with a local module: 

replace example.com/mydep => ../mydep

## Common Pitfalls and Best Practices

### 1. Forgetting to Run `go mod tidy`
Always run `go mod tidy` to ensure that your `go.mod` file reflects your current dependencies.

### 2. Overcommitting `go.sum`
Avoid unnecessary entries in `go.sum` by regularly cleaning your dependencies.

### 3. Using Old Versions of Go
Make sure you're using an updated version of Go (preferably Go 1.18 or later) to benefit from all the features of modules.

## Security Considerations

Regularly updating your dependencies is crucial to keeping your Go applications secure. Many vulnerabilities can be introduced by outdated third-party libraries, and these are often patched in newer versions. Using `go get` to update your dependencies ensures you're benefiting from the latest security fixes.

- **Run `go get` Regularly**: Periodically running `go get -u` ensures that you pull in the latest stable updates for your dependencies, minimizing security risks.
- **Monitor Vulnerabilities**: Keep track of security advisories related to your dependencies. Tools like [GoSec](https://github.com/securego/gosec) can help you analyze your code and its dependencies for security issues.
- **Locking Dependencies**: Always specify exact versions for critical dependencies in the `go.mod` file to prevent accidental upgrades that could introduce breaking changes or vulnerabilities.

<br><br>

## <i class="fas fa-2x fa-map-marker-alt" style="color:#BAE1FF;"></i>&nbsp;&nbsp;Next Steps

# Lab 5 : Testing

<h2>Next LAB&nbsp;&nbsp;&nbsp;&nbsp;<a href="5-WKSHP-GO101-Testing.ipynb" target="New" title="Next LAB: Go Testing"><i class="fas fa-chevron-circle-right" style="color:#BAE1FF;"></i></a></h2>

</br>
 <a href="3-WKSHP-GO101-Defer-Panic-Recover.ipynb" target="New" title="Back: Defer, Panic and Recover"><button type="submit"  class="btn btn-lg btn-block" style="background-color:#BAE1FF;color:#fff;position:relative;width:10%; height: 30px;float: left;"><b>Back</b></button></a>
 <a href="5-WKSHP-GO101-Testing.ipynb" target="New" title="Next: Go Testing"><button type="submit" class="btn btn-lg btn-block" style="background-color:#BAE1FF;color:#fff;position:relative;width:10%;height:30px; float:right"><b>Next</b></button></a>