Is it best-practice to commit the `vendor` directory?

imagine what would happen to your project if a dependency was taken offline by the author. Until Go has a central server to hold all packages which are unable to be deleted a lot of people will always see the need to commit the vendor folder

The dep tool's FAQ answers this:

Should I commit my vendor directory?

It's up to you:

Pros

• It's the only way to get truly reproducible builds, as it guards against upstream renames, deletes and commit history overwrites.
• You don't need an extra dep ensure step to sync vendor/ with Gopkg.lock after most operations, such as go get, cloning, getting latest, merging, etc.

Cons

• Your repo will be bigger, potentially a lot bigger, though prune can help minimize this problem.
• PR diffs will include changes for files under vendor/ when Gopkg.lock is modified, however files in vendor/ are hidden by default on GitHub.