This is an experimental attempt to give module consumers more insight into the
risks of dependency updates, I've combined go list -u with
golang.org/x/exp/apidiff.
This tool loads modules at their current and updated versions from the local Go
module cache, and gets a report of their API differences. Updated modules, if
not present, are fetched with go mod download.
- If a module cannot be loaded for any reason, its risk is considered "unknown".
- If a module update is found to have incompatible diffs (as defined by apidiff), the update is marked as high risk.
- If no incompatible diffs are found, the update is considered low risk.
With no arguments, the tool will print the risk level of each update:
go-depdiffs
✅ Low Risk Update: go get google.golang.org/api@v0.251.0
🚩️ Incompatible Update to google.golang.org/genai@v1.26.0
-vwill include details of the API diffs. It also adds some additional logging about module loading errors.--risk (low|medium|high|unknown)limits the output to updates of only the specified risk. useful for examining diffs when combined with-v.--jsonoutput json objects instead of strings. useful for piping intogo getcommands.
go-depdiffs
✅ Low Risk Update: go get google.golang.org/api@v0.251.0
🚩️ Incompatible Update to google.golang.org/genai@v1.26.0
To update all low-risk dependencies:
go-diffdeps --risk low --json 2>/dev/null | jq '. | "\(.Path)@\(.UpdateVersion)"' | xargs go get
To review high risk dependencies:
go-diffdeps --risk high -v
🚩️ Incompatible Update to google.golang.org/grpc@v1.75.1:
google.golang.org/grpc.Version: value changed from "1.73.0" to "1.75.1"