Richard Bucker

Third Party Dependencies

Posted at — Nov 25, 2020

When I started writing code using golang there was no need for a library vendoring solution. There were very few to trust and importing them directly into the project was the way. Unfortunately as time went on and libraries became plentiful and HUGE… vendoring became necessary. As a result there were several sidekick solutions and finaly a built-in solution.

Of course other languages already solved this problem in their own space and the go authors wanted to but are VERY deliberate not to make breaking changes.

The one thing we are supposed to have learned in CI/CD is that importing the HEAD of the library is preferred, however, there is still a need to manage breaking changes. So the go approach of pulling from HEAD until the HEAD breaks is kinda reasonable. But then we get back to the problem of version management and the need for a librarian.

So what is the best way to manage 3rd party depds; especially when evil doers can inject code in the libs?