功能描述

Provides dependency management strategies for Golang projects including go.mod management, installing/upgrading packages, semantic versioning, Minimal Versio...

使用说明 (SKILL.md)

Persona: You are a Go dependency steward. You treat every new dependency as a long-term maintenance commitment — you ask whether the standard library already solves the problem before reaching for an external package.

Go Dependency Management

Name: Golang Dependency Management
Author: samber

AI Agent Rule: Ask Before Adding Dependencies

Before running go get to add any new dependency, AI agents MUST ask the user for confirmation. AI agents can suggest packages that are unmaintained, low-quality, or unnecessary when the standard library already provides equivalent functionality. Using go get -u to upgrade an existing dependency is safe.

Before proposing a dependency, evaluate:

Does the standard library already cover the use case?
Is the license compatible?
Are there well-known alternatives?
What it does and why it's needed?

The samber/cc-skills-golang@golang-popular-libraries skill contains a curated list of vetted, production-ready libraries. Prefer recommending packages from that list. When no vetted option exists, favor well-known packages from the Go team (golang.org/x/...) or established organizations over obscure alternatives.

Key Rules

go.sum MUST be committed — it records cryptographic checksums of every dependency version, letting go mod verify detect supply-chain tampering. Without it, a compromised proxy could silently substitute malicious code
govulncheck ./... before every release — catches known CVEs in your dependency tree before they reach production
Check maintenance status, license, and stdlib alternatives before adding a dependency — every dependency increases attack surface, maintenance burden, and binary size
go mod tidy before every commit that changes dependencies — removes unused modules and adds missing ones, keeping go.mod honest

go.mod & go.sum

Essential Commands

Command	Purpose
`go mod tidy`	Add missing deps, remove unused ones
`go mod download`	Download modules to local cache
`go mod verify`	Verify cached modules match go.sum checksums
`go mod vendor`	Copy deps into `vendor/` directory
`go mod edit`	Edit go.mod programmatically (scripts, CI)
`go mod graph`	Print the module requirement graph
`go mod why`	Explain why a module or package is needed

Vendoring

Use go mod vendor when you need hermetic builds (no network access), reproducibility guarantees beyond checksums, or when deploying to environments without module proxy access. CI pipelines and Docker builds sometimes benefit from vendoring. Run go mod vendor after any dependency change and commit the vendor/ directory.

Installing & Upgrading Dependencies

Adding a Dependency

go get github.com/pkg/errors           # Latest version
go get github.com/pkg/[email protected]    # Specific version
go get github.com/pkg/errors@latest    # Explicitly latest
go get github.com/pkg/errors@master    # Specific branch (pseudo-version)

Upgrading

go get -u ./...            # Upgrade ALL direct+indirect deps to latest minor/patch
go get -u=patch ./...      # Upgrade to latest patch only (safer)
go get github.com/[email protected] # Upgrade specific package

Prefer go get -u=patch for routine updates — patch versions change no public API (semver promise), so they're unlikely to break your build. Minor version upgrades may add new APIs but can also deprecate or change behavior unexpectedly.

Removing a Dependency

go get github.com/pkg/errors@none   # Mark for removal
go mod tidy                          # Clean up go.mod and go.sum

Installing CLI Tools

go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest

go install builds and installs a binary to $GOPATH/bin. Use @latest or a specific version tag — never @master for tools you depend on.

The tools.go Pattern

Pin tool versions in your module without importing them in production code:

//go:build tools

package tools

import (
    _ "github.com/golangci/golangci-lint/cmd/golangci-lint"
    _ "golang.org/x/vuln/cmd/govulncheck"
)

The build constraint ensures this file is never compiled. The blank imports keep the tools in go.mod so go install uses the pinned version. Run go mod tidy after creating this file.

Deep Dives

Versioning & MVS — Semantic versioning rules (major.minor.patch), when to increment each number, pre-release versions, the Minimal Version Selection (MVS) algorithm (why you can't just pick "latest"), and major version suffix conventions (v0, v1, v2 suffixes for breaking changes).
Auditing Dependencies — Vulnerability scanning with govulncheck, tracking outdated dependencies, analyzing which dependencies make the binary large (goweight), and distinguishing test-only vs binary dependencies to keep go.mod clean.
Dependency Conflicts & Resolution — Diagnosing version conflicts (what go get does when you request incompatible versions), resolution strategies (replace directives for local development, exclude for broken versions, retract for published versions that should be skipped), and workflows for conflicts across your dependency tree.
Go Workspaces — go.work files for multi-module development (e.g., library + example application), when to use workspaces vs monorepos, and workspace best practices.
Automated Dependency Updates — Setting up Dependabot or Renovate for automatic dependency update PRs, auto-merge strategies (when to merge automatically vs require review), and handling security updates.
Visualizing the Dependency Graph — go mod graph to inspect the full dependency tree, modgraphviz to visualize it, and interactive tools to find which dependency chains cause bloat.

Cross-References

→ See samber/cc-skills-golang@golang-continuous-integration skill for Dependabot/Renovate CI setup
→ See samber/cc-skills-golang@golang-security skill for vulnerability scanning with govulncheck
→ See samber/cc-skills-golang@golang-popular-libraries skill for vetted library recommendations

Quick Reference

# Start a new module
go mod init github.com/user/project

# Add a dependency
go get github.com/pkg/[email protected]

# Upgrade all deps (patch only, safer)
go get -u=patch ./...

# Remove unused deps
go mod tidy

# Check for vulnerabilities
govulncheck ./...

# Check for outdated deps
go list -u -m -json all | go-mod-outdated -update -direct

# Analyze binary size by dependency
goweight

# Understand why a dep exists
go mod why -m github.com/some/module

# Visualize dependency graph
go mod graph | modgraphviz | dot -Tpng -o deps.png

# Verify checksums
go mod verify

安全使用建议

This skill appears coherent and focused: it teaches and enforces safe Go dependency practices and installs govulncheck from an official golang.org package. Before installing, ensure you are comfortable with the skill installing a govulncheck binary into your Go bin directory and that your environment's GOPATH/GOBIN are set as you expect. Note the skill permits autonomous invocation (the platform default) — review your agent's permissions/policies if you do not want agents to act without confirmation. Finally, because this is instruction-only (no bundled code), the primary runtime action is installing/using govulncheck and running go commands; if you prefer, confirm the agent will always ask before running go get (the skill mandates that behavior).

功能分析

Type: OpenClaw Skill Name: golang-dependency-management Version: 1.1.2 The skill bundle provides comprehensive and secure guidance for Go dependency management, following industry best practices. It includes explicit instructions (SKILL.md) requiring the AI agent to seek user confirmation before adding new dependencies and emphasizes critical security measures such as committing 'go.sum' for integrity verification and using 'govulncheck' for vulnerability scanning. All recommended tools (e.g., goweight, go-mod-outdated) and commands are standard within the Go ecosystem, and the 'allowed-tools' configuration uses restricted bash patterns to limit the agent's execution scope.

能力评估

✓ Purpose & Capability

Name/description match the requested bits: it needs the Go toolchain and govulncheck, and its advice and workflows focus on go.mod, go.sum, govulncheck, govulncheck-driven CI, vendoring, and visualizing module graphs. No unrelated credentials, binaries, or config paths are requested.

✓ Instruction Scope

SKILL.md gives concrete, scoped instructions for dependency operations, auditing, and CI integration. It explicitly requires asking the user before adding dependencies and instructs use of govulncheck, go mod tidy, etc. It does not instruct reading arbitrary files or exfiltrating secrets, nor does it reference environment variables beyond the declared tools.

✓ Install Mechanism

The only install spec is a go install for golang.org/x/vuln/cmd/govulncheck@latest — a standard, traceable install from an official golang.org package. This writes a binary (govulncheck) into the user's Go bin path, which is appropriate and expected for the skill's purpose.

✓ Credentials

No environment variables, credentials, or config paths are requested. The declared tool requirements (go, govulncheck) are proportional to a dependency-management skill.

✓ Persistence & Privilege

Flags show always:false and no unusual persistence. disable-model-invocation is false (normal), and the skill does not claim or request the ability to modify other skills or system-wide configs.

版本历史

v1.1.2

- Added "AskUserQuestion" to allowed tools to enable user confirmation before adding new dependencies. - Updated metadata version to 1.1.2.

v1.1.1

- Updated version metadata to 1.1.1 in SKILL.md. - No changes to core functionality or documentation content; SKILL.md received only a metadata version bump.

v1.1.0

Version 1.1.0 of golang-dependency-management expands coverage and guidance for Go dependency workflows. - Enhanced documentation with strategies for dependency selection, management, updates, conflict resolution, and security auditing. - Clarifies the necessity to ask users before adding new dependencies, with checks for maintenance, stdlib alternatives, and license compatibility. - Details essential go.mod and go.sum practices, with command references and rationale for key rules. - Adds in-depth sections on versioning (MVS), workspaces, automated updates, visualizing the dependency graph, and dependency auditing. - Provides cross-references to related skills for CI, security, and vetted library use. - Offers concise command examples and quick references for typical dependency tasks.

元数据

Slug golang-dependency-management

版本 1.1.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题

Golang Dependency Management 是什么？

Provides dependency management strategies for Golang projects including go.mod management, installing/upgrading packages, semantic versioning, Minimal Versio... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 186 次。

如何安装 Golang Dependency Management？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install golang-dependency-management」即可一键安装，无需额外配置。

Golang Dependency Management 是免费的吗？

是的，Golang Dependency Management 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Golang Dependency Management 支持哪些平台？

Golang Dependency Management 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Golang Dependency Management？

由 Samuel Berthe（@samber）开发并维护，当前版本 v1.1.2。

Golang Dependency Management