In the minimega project, we vendor all of our dependencies to ensure that we build with specific versions of the dependencies every time on every machine. Vendoring dependencies also allows us to tweak dependencies as needed (e.g. bug fixes) without waiting for them to be resolved upstream.

We vendor dependencies in src/vendor which is supported in Go 1.6+.

Adding a new dependency

When you need to add a new dependency, there are a few things to consider:

Ask the team if you are unsure -- it never hurts to get a second (or third) opinion.

To actually vendor a dependency:

Patching a dependency

Sometimes we find issues in our dependencies that are not resolved upstream. Rather than wait for upstream to patch, we simply patch the vendored files. These patches should be done as separate commits from the above process to add a new dependency so that we can reapply the patches if we update the dependency.

Updating a dependency

The easiest way to update a dependency is to remove the dependency from src/vendor and then follow the steps to add a new dependency. Git will figure out what has been added/changed/removed for you if you do not commit between removing the dependency directory and add the updated files. This only works with unpatched dependencies.

For patched dependencies, you must port the necessary patches to the new dependency code. Good luck.


The minimega authors

07 Feb 2017