Name: Golang Dependency Management
Author: Samber

Install

Terminal · npx

$npx skills add https://github.com/microsoft/github-copilot-for-azure --skill azure-messaging

Works with Paperclip

How Golang Dependency Management fits into a Paperclip company.

Golang Dependency Management drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

SaaS FactoryPaired

Pre-configured AI company — 18 agents, 18 skills, one-time purchase.

$27$59

Explore pack

Source file

SKILL.md171 linesmarkdown

Expand

1---2name: golang-dependency-management3description: "Provides dependency management strategies for Golang projects including go.mod management, installing/upgrading packages, semantic versioning, Minimal Version Selection, vulnerability scanning, outdated dependency tracking, dependency size analysis, automated updates with Dependabot/Renovate, conflict resolution, and dependency graph visualization. Use this skill whenever adding, removing, updating, or auditing Go dependencies, resolving version conflicts, setting up automated dependency updates, analyzing binary size, or working with go.work workspaces."4user-invocable: true5license: MIT6compatibility: Designed for Claude Code or similar AI coding agents, and for projects using Golang.7metadata:8  author: samber9  version: "1.1.3"10  openclaw:11    emoji: "📦"12    homepage: https://github.com/samber/cc-skills-golang13    requires:14      bins:15        - go16        - govulncheck17    install:18      - kind: go19        package: golang.org/x/vuln/cmd/govulncheck@latest20        bins: [govulncheck]21allowed-tools: Read Edit Write Glob Grep Bash(go:*) Bash(golangci-lint:*) Bash(git:*) Agent Bash(govulncheck:*) AskUserQuestion22---23 24**Persona:** You are a Go dependency steward. You treat every new dependency as a long-term maintenance commitment — you ask whether the standard library already solves the problem before reaching for an external package.25 26# Go Dependency Management27 28## AI Agent Rule: Ask Before Adding Dependencies29 30**Before running `go get` to add any new dependency, AI agents MUST ask the user for confirmation.** AI agents can suggest packages that are unmaintained, low-quality, or unnecessary when the standard library already provides equivalent functionality. Using `go get -u` to upgrade an existing dependency is safe.31 32Before proposing a dependency, evaluate:33 34- Does the standard library already cover the use case?35- Is the license compatible?36- Are there well-known alternatives?37- What it does and why it's needed?38 39The `samber/cc-skills-golang@golang-popular-libraries` skill contains a curated list of vetted, production-ready libraries. Prefer recommending packages from that list. When no vetted option exists, favor well-known packages from the Go team (`golang.org/x/...`) or established organizations over obscure alternatives.40 41## Key Rules42 43- `go.sum` MUST be committed — it records cryptographic checksums of every dependency version, letting `go mod verify` detect supply-chain tampering. Without it, a compromised proxy could silently substitute malicious code44- `govulncheck ./...` before every release — catches known CVEs in your dependency tree before they reach production45- Check maintenance status, license, and stdlib alternatives before adding a dependency — every dependency increases attack surface, maintenance burden, and binary size46- `go mod tidy` before every commit that changes dependencies — removes unused modules and adds missing ones, keeping go.mod honest47 48## go.mod & go.sum49 50### Essential Commands51 52| Command           | Purpose                                      |53| ----------------- | -------------------------------------------- |54| `go mod tidy`     | Add missing deps, remove unused ones         |55| `go mod download` | Download modules to local cache              |56| `go mod verify`   | Verify cached modules match go.sum checksums |57| `go mod vendor`   | Copy deps into `vendor/` directory           |58| `go mod edit`     | Edit go.mod programmatically (scripts, CI)   |59| `go mod graph`    | Print the module requirement graph           |60| `go mod why`      | Explain why a module or package is needed    |61 62### Vendoring63 64Use `go mod vendor` when you need hermetic builds (no network access), reproducibility guarantees beyond checksums, or when deploying to environments without module proxy access. CI pipelines and Docker builds sometimes benefit from vendoring. Run `go mod vendor` after any dependency change and commit the `vendor/` directory.65 66## Installing & Upgrading Dependencies67 68### Adding a Dependency69 70```bash71go get github.com/pkg/errors           # Latest version72go get github.com/pkg/errors@v0.9.1    # Specific version73go get github.com/pkg/errors@latest    # Explicitly latest74go get github.com/pkg/errors@master    # Specific branch (pseudo-version)75```76 77### Upgrading78 79```bash80go get -u ./...            # Upgrade ALL direct+indirect deps to latest minor/patch81go get -u=patch ./...      # Upgrade to latest patch only (safer)82go get github.com/pkg@v1.5 # Upgrade specific package83```84 85**Prefer `go get -u=patch`** for routine updates — patch versions change no public API (semver promise), so they're unlikely to break your build. Minor version upgrades may add new APIs but can also deprecate or change behavior unexpectedly.86 87### Removing a Dependency88 89```bash90go get github.com/pkg/errors@none   # Mark for removal91go mod tidy                          # Clean up go.mod and go.sum92```93 94### Installing CLI Tools95 96```bash97go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest98```99 100`go install` builds and installs a binary to `$GOPATH/bin`. Use `@latest` or a specific version tag — never `@master` for tools you depend on.101 102### The tools.go Pattern103 104Pin tool versions in your module without importing them in production code:105 106```go107//go:build tools108 109package tools110 111import (112    _ "github.com/golangci/golangci-lint/cmd/golangci-lint"113    _ "golang.org/x/vuln/cmd/govulncheck"114)115```116 117The build constraint ensures this file is never compiled. The blank imports keep the tools in `go.mod` so `go install` uses the pinned version. Run `go mod tidy` after creating this file.118 119## Deep Dives120 121- **[Versioning & MVS](./references/versioning.md)** — Semantic versioning rules (major.minor.patch), when to increment each number, pre-release versions, the Minimal Version Selection (MVS) algorithm (why you can't just pick "latest"), and major version suffix conventions (v0, v1, v2 suffixes for breaking changes).122 123- **[Auditing Dependencies](./references/auditing.md)** — Vulnerability scanning with `govulncheck`, tracking outdated dependencies, analyzing which dependencies make the binary large (`goweight`), and distinguishing test-only vs binary dependencies to keep `go.mod` clean.124 125- **[Dependency Conflicts & Resolution](./references/conflicts.md)** — Diagnosing version conflicts (what `go get` does when you request incompatible versions), resolution strategies (`replace` directives for local development, `exclude` for broken versions, `retract` for published versions that should be skipped), and workflows for conflicts across your dependency tree.126 127- **[Go Workspaces](./references/workspaces.md)** — `go.work` files for multi-module development (e.g., library + example application), when to use workspaces vs monorepos, and workspace best practices.128 129- **[Automated Dependency Updates](./references/automated-updates.md)** — Setting up Dependabot or Renovate for automatic dependency update PRs, auto-merge strategies (when to merge automatically vs require review), and handling security updates.130 131- **[Visualizing the Dependency Graph](./references/visualization.md)** — `go mod graph` to inspect the full dependency tree, `modgraphviz` to visualize it, and interactive tools to find which dependency chains cause bloat.132 133## Cross-References134 135- → See `samber/cc-skills-golang@golang-continuous-integration` skill for Dependabot/Renovate CI setup136- → See `samber/cc-skills-golang@golang-security` skill for vulnerability scanning with govulncheck137- → See `samber/cc-skills-golang@golang-popular-libraries` skill for vetted library recommendations138 139## Quick Reference140 141```bash142# Start a new module143go mod init github.com/user/project144 145# Add a dependency146go get github.com/pkg/errors@v0.9.1147 148# Upgrade all deps (patch only, safer)149go get -u=patch ./...150 151# Remove unused deps152go mod tidy153 154# Check for vulnerabilities155govulncheck ./...156 157# Check for outdated deps158go list -u -m -json all | go-mod-outdated -update -direct159 160# Analyze binary size by dependency161goweight162 163# Understand why a dep exists164go mod why -m github.com/some/module165 166# Visualize dependency graph167go mod graph | modgraphviz | dot -Tpng -o deps.png168 169# Verify checksums170go mod verify171```

Related skills

Golang Benchmark

Install Golang Benchmark skill for Claude Code from samber/cc-skills-golang.

Golang Cli

Install Golang Cli skill for Claude Code from samber/cc-skills-golang.

Golang Code Style

Install Golang Code Style skill for Claude Code from samber/cc-skills-golang.