Description
Proposal Details
go 1.24 added support for managing developer tool dependencies directly in go.mod
. while this is a valuable feature, there's room for improvement in dependency management clarity - specifically, there's currently no way to distinguish between indirect dependencies from the project vs from tools.
proposal: extend go.mod format to distinguish tool indirect dependencies with a new comment marker //indirect:tool
.
current format:
require github.com/main/dep v1.0.0
tool github.com/dev/tool
require (
github.com/indirect/dep v1.0.0 // indirect # source unclear
github.com/indirect/dep2 v1.0.0 // indirect # source unclear
)
proposed format:
require github.com/main/dep v1.0.0
tool github.com/dev/tool
require (
github.com/indirect/dep v1.0.0 // indirect # from main/dep
github.com/indirect/dep2 v1.0.0 // indirect:tool # from dev/tool
)
rationale: since go binaries are statically linked by default, it should be straightforward to audit what code is included in your final binary vs what's just needed for development.
implementation note: for dependencies that are indirect from both project and tools, the standard //indirect
marker should be used to avoid duplicating data. this could potentially complicate tool dependency auditing but keeps the file simpler.
q: has this been discussed before? are there alternative approaches worth considering?
Metadata
Metadata
Assignees
Type
Projects
Status