Skip to content

proposal: cmd/go: mark tool dependencies in go.mod #71749

Open
@vhespanha

Description

@vhespanha

Proposal Details

go 1.24 added support for managing developer tool dependencies directly in go.mod. while this is a valuable feature, there's room for improvement in dependency management clarity - specifically, there's currently no way to distinguish between indirect dependencies from the project vs from tools.

proposal: extend go.mod format to distinguish tool indirect dependencies with a new comment marker //indirect:tool.

current format:

require github.com/main/dep v1.0.0

tool github.com/dev/tool

require (
    github.com/indirect/dep v1.0.0 // indirect   # source unclear
    github.com/indirect/dep2 v1.0.0 // indirect  # source unclear
)

proposed format:

require github.com/main/dep v1.0.0

tool github.com/dev/tool

require (
    github.com/indirect/dep v1.0.0 // indirect        # from main/dep
    github.com/indirect/dep2 v1.0.0 // indirect:tool  # from dev/tool
)

rationale: since go binaries are statically linked by default, it should be straightforward to audit what code is included in your final binary vs what's just needed for development.

implementation note: for dependencies that are indirect from both project and tools, the standard //indirect marker should be used to avoid duplicating data. this could potentially complicate tool dependency auditing but keeps the file simpler.

q: has this been discussed before? are there alternative approaches worth considering?

Metadata

Metadata

Assignees

No one assigned

    Labels

    GoCommandcmd/goProposalToolProposalIssues describing a requested change to a Go tool or command-line program.

    Type

    No type

    Projects

    Status

    Incoming

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions