获取Go项目的所有依赖项 [英] Getting all dependencies of a Go project
问题描述
对于我的项目,我正在尝试获取项目的所有依赖项和子依赖项.我需要每个依赖项的特定版本.不仅需要项目的依赖关系,还需要依赖关系的依赖关系,直到根.
For my project I am trying to get all the dependencies and sub dependencies of my project. I need to specific version of each of these dependencies. Not only do I need the dependencies of my project, but the dependencies of the dependencies and so on until the root.
对于我的项目, go list -m all 适用于除未选择使用go.mod文件的间接依赖项之外的所有内容.现在,我的工作流程是获取第一批存储库,然后从git中下载它们,然后使用"GO111MODULE = on build./…".和"GO111MODULE =执行列表-m -json全部"以获取依赖项列表.我不检查go.mod,因为我正在扫描的所有存储库都在使用go.mod文件.
For my project, go list -m all works for everything except indirect dependencies that have not opted into using go.mod files. Right now my workflow is taking an initial batch of repositories, downloading them from git then using "GO111MODULE=on go build ./…". and "GO111MODULE=on go list -m -json all" to get the list of dependencies. I do not check for go.mod as all of the repositories I am scanning are using go.mod files.
对于这个初始列表中的依赖项列表,我有一些疑问,对于没有go.mod文件的文件,我将其用作参考:"
For the list of dependencies that come out of this initial list I have some questions, for files without go.mod files, I used this as a reference: "https://blog.golang.org/using-go-modules"
-Path =从 go list -m all 接收,它可以是GitHub,gopkg或用于dl go软件包的任何东西.
-Path = Received from go list -m all, it can be GitHub, gopkg, or whatever is used to dl the go package.
没有go.mod
-"GO111MODULE=on go mod init <PATH from parent go.mod>"
-"GO111MODULE=on go build ./…"
-"GO111MODULE=on go mod tidy"
-"GO111MODULE=on go list -m -json all"
-From there I get a list of the dependencies of this module.
使用go.mod
-"GO111MODULE=on go build ./…"
-"GO111MODULE=on go mod tidy"
-"GO111MODULE=on go list -m -json all"
我应该在具有go.mod文件的每个依赖项上运行 go build 吗?对于没有go.mod文件的文件,我知道应该这样做,因为否则我们将如何用依赖项填充go.mod文件.但是对于带有go.mod文件的文件,我是否会提取那些我的项目在go build中不一定使用的多余内容,例如测试文件和其他在我仅导入该项目时可能不会使用的文件?我知道获得更多未使用的依赖关系而不是丢失一些依赖关系是更好的选择,但是对于如此庞大的依赖关系量来说,这有点让人不知所措.
Should I be running go build on each dependency that has a go.mod file? For ones without a go.mod file, I understand this should be done, as how else will we populate the go.mod file with the dependencies. But for files with a go.mod file, will I be pulling extra stuff that is not necessarily being used by my project with go build, like test files and other files that might not be used when I am simply importing that project? I understand that its better to get more unused dependencies rather than missing some, but it is getting a bit overwhelming with how massive the amount of dependencies is.
推荐答案
我可以尝试分析 go.sum 文件(当您执行 go list -u , go.sum 已创建)
I can try to analyze go.sum file (when you execute go list -u, go.sum was created)
go命令使用go.sum文件来确保这些模块的将来下载与第一次下载相同,以确保您的项目所依赖的模块不会发生意外更改,无论是恶意,意外还是其他情况原因.应该将go.mod和go.sum都检查到版本控制中.(使用Go模块-添加依赖项)
go.sum 文件列出了模块所需的直接和间接依赖性的校验和(和版本标记).
go.sum file lists down the checksum (and version tag) of direct and indirect dependency required by the module.
% cat go.sum
...
github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b/go.mod h1:ac9efd0D1fsDb3EJvhqgXRbFx7bs2wqZ10HQPeU8U/Q=
github.com/c2h5oh/datasize v0.0.0-20171227191756-4eba002a5eae/go.mod h1:S/7n9copUssQ56c7aAgHqftWO4LTf4xY6CGWt8Bc+3M=
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
...
这篇关于获取Go项目的所有依赖项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
