explainx.ainewsletter3.4k
Backend

golang-dependency-management

samber/cc-skills-golang · updated Apr 8, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills add https://github.com/samber/cc-skills-golang --skill golang-dependency-management
0 commentsdiscussion
summary

Persona: You are a Go dependency steward. You treat every new dependency as a long-term maintenance commitment — you ask whether the standard library already solves the problem before reaching for an external package.

skill.md

Persona: You are a Go dependency steward. You treat every new dependency as a long-term maintenance commitment — you ask whether the standard library already solves the problem before reaching for an external package.

Go Dependency Management

AI Agent Rule: Ask Before Adding Dependencies

Before running go get to add any new dependency, AI agents MUST ask the user for confirmation. AI agents can suggest packages that are unmaintained, low-quality, or unnecessary when the standard library already provides equivalent functionality. Using go get -u to upgrade an existing dependency is safe.

Before proposing a dependency, present:

  • Package name and import path
  • What it does and why it's needed
  • Whether the standard library covers the use case
  • GitHub stars, last commit date, and maintenance status (check via gh repo view)
  • License compatibility
  • Known alternatives

The samber/cc-skills-golang@golang-popular-libraries skill contains a curated list of vetted, production-ready libraries. Prefer recommending packages from that list. When no vetted option exists, favor well-known packages from the Go team (golang.org/x/...) or established organizations over obscure alternatives.

Key Rules

  • go.sum MUST be committed — it records cryptographic checksums of every dependency version, letting go mod verify detect supply-chain tampering. Without it, a compromised proxy could silently substitute malicious code
  • govulncheck ./... before every release — catches known CVEs in your dependency tree before they reach production
  • Check maintenance status, license, and stdlib alternatives before adding a dependency — every dependency increases attack surface, maintenance burden, and binary size
  • go mod tidy before every commit that changes dependencies — removes unused modules and adds missing ones, keeping go.mod honest

go.mod & go.sum

Essential Commands

Command Purpose
go mod tidy Add missing deps, remove unused ones
go mod download Download modules to local cache
go mod verify Verify cached modules match go.sum checksums
go mod vendor Copy deps into vendor/ directory
go mod edit Edit go.mod programmatically (scripts, CI)
go mod graph Print the module requirement graph
go mod why Explain why a module or package is needed

Vendoring

Use go mod vendor when you need hermetic builds (no network access), reproducibility guarantees beyond checksums, or when deploying to environments without module proxy access. CI pipelines and Docker builds sometimes benefit from vendoring. Run go mod vendor after any dependency change and commit the vendor/ directory.

Installing & Upgrading Dependencies

Adding a Dependency

go get github.com/pkg/errors           # Latest version
go get github.com/pkg/[email protected]    # Specific version
go get github.com/pkg/errors@latest    # Explicitly latest
go get github.com/pkg/errors@master    # Specific branch (pseudo-version)

Upgrading

go get -u ./...            # Upgrade ALL direct+indirect deps to latest minor/patch
go get -u=patch ./...      # Upgrade to latest patch only (safer)
go get github.com/[email protected] # Upgrade specific package

Prefer go get -u=patch for routine updates — patch versions change no public API (semver promise), so they're unlikely to break your build. Minor version upgrades may add new APIs but can also deprecate or change behavior unexpectedly.

Removing a Dependency

go get github.com/pkg/errors@none   # Mark for removal
go mod tidy                          # Clean up go.mod and go.sum

Installing CLI Tools

go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest

go install builds and installs a binary to $GOPATH/bin. Use @latest or a specific version tag — never @master for tools you depend on.

The tools.go Pattern

Pin tool versions in your module without importing them in production code:

//go:build tools

package tools

import (
    _ "github.com/golangci/golangci-lint/cmd/golangci-lint"
    _ "golang.org/x/vuln/cmd/govulncheck"
)

The build constraint ensures this file is never compiled. The blank imports keep the tools in go.mod so go install uses the pinned version. Run go mod tidy after creating this file.

Deep Dives

  • Versioning & MVS — Semantic versioning rules (major.minor.patch), when to increment each number, pre-release versions, the Minimal Version Selection (MVS) algorithm (why you can't just pick "latest"), and major version suffix conventions (v0, v1, v2 suffixes for breaking changes).

  • Auditing Dependencies — Vulnerability scanning with govulncheck, tracking outdated dependencies, analyzing which dependencies make the binary large (goweight), and distinguishing test-only vs binary dependencies to keep go.mod clean.

  • Dependency Conflicts & Resolution — Diagnosing version conflicts (what go get does when you request incompatible versions), resolution strategies (replace directives for local development, exclude for broken versions, retract for published versions that should be skipped), and workflows for conflicts across your dependency tree.

  • Go Workspacesgo.work files for multi-module development (e.g., library + example application), when to use workspaces vs monorepos, and workspace best practices.

  • Automated Dependency Updates — Setting up Dependabot or Renovate for automatic dependency update PRs, auto-merge strategies (when to merge automatically vs require review), and handling security updates.

  • Visualizing the Dependency Graphgo mod graph to inspect the full dependency tree, modgraphviz to visualize it, and interactive tools to find which dependency chains cause bloat.

Cross-References

  • → See samber/cc-skills-golang@golang-continuous-integration skill for Dependabot/Renovate CI setup
  • → See samber/cc-skills-golang@golang-security skill for vulnerability scanning with govulncheck
  • → See samber/cc-skills-golang@golang-popular-libraries skill for vetted library recommendations

Quick Reference

# Start a new module
go mod init github.com/user/project

# Add a dependency
go get github.com/pkg/[email protected]

# Upgrade all deps (patch only, safer)
go get -u=patch ./...

# Remove unused deps
go mod tidy

# Check for vulnerabilities
govulncheck ./...

# Check for outdated deps
go list -u -m -json all | go-mod-outdated -update -direct

# Analyze binary size by dependency
goweight

# Understand why a dep exists
go mod why -m github.com/some/module

# Visualize dependency graph
go mod graph | modgraphviz | dot -Tpng -o deps.png

# Verify checksums
go mod verify
how to use golang-dependency-management

How to use golang-dependency-management on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add golang-dependency-management
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills add https://github.com/samber/cc-skills-golang --skill golang-dependency-management

The skills CLI fetches golang-dependency-management from GitHub repository samber/cc-skills-golang and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/golang-dependency-management

Reload or restart Cursor to activate golang-dependency-management. Access the skill through slash commands (e.g., /golang-dependency-management) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.766 reviews
  • Jin Li· Dec 28, 2024

    Useful defaults in golang-dependency-management — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Maya Menon· Dec 24, 2024

    golang-dependency-management fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Sophia Dixit· Dec 24, 2024

    We added golang-dependency-management from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Aarav Robinson· Dec 8, 2024

    golang-dependency-management has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Jin Park· Dec 8, 2024

    Keeps context tight: golang-dependency-management is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Sophia Lopez· Dec 8, 2024

    Solid pick for teams standardizing on skills: golang-dependency-management is focused, and the summary matches what you get after install.

  • Dhruvi Jain· Dec 4, 2024

    We added golang-dependency-management from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Ava Patel· Nov 27, 2024

    golang-dependency-management is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Jin Robinson· Nov 27, 2024

    I recommend golang-dependency-management for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Oshnikdeep· Nov 23, 2024

    Useful defaults in golang-dependency-management — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

showing 1-10 of 66

1 / 7