Is it best-practice to commit the `vendor` directory?
imagine what would happen to your project if a dependency was taken offline by the author. Until Go has a central server to hold all packages which are unable to be deleted a lot of people will always see the need to commit the vendor folder
The dep
tool's FAQ answers this:
Should I commit my vendor directory?
It's up to you:
Pros
- It's the only way to get truly reproducible builds, as it guards against upstream renames, deletes and commit history overwrites.
- You don't need an extra
dep ensure
step to syncvendor/
withGopkg.lock
after most operations, such as go get, cloning, getting latest, merging, etc.Cons
- Your repo will be bigger, potentially a lot bigger, though prune can help minimize this problem.
- PR diffs will include changes for files under
vendor/
whenGopkg.lock
is modified, however files invendor/
are hidden by default on GitHub.