# 2.1 Go依赖管理工具dep

> Go dependency management tool
>
> ## 环境要求
>
> * Golang >= 1.9
> * Dep

## 目前版本：

```
dep:
 version     : devel
 build date  : 
 git hash    : 
 go version  : go1.10
 go compiler : gc
 platform    : linux/amd64
```

`Latest release`为`v0.4.1`

## 安装

```
go get -u github.com/golang/dep/cmd/dep
```

若`$GOPATH/bin`不在`PATH`下，则需要将生成的`dep`文件从`$GOPATH/bin`移动至`$GOBIAN`下

## 验证

```
$ dep
Dep is a tool for managing dependencies for Go projects

Usage: "dep [command]"

Commands:

  init     Set up a new Go project, or migrate an existing one
  status   Report the status of the project's dependencies
  ensure   Ensure a dependency is safely vendored in the project
  prune    Pruning is now performed automatically by dep ensure.
  version  Show the dep version information

Examples:
  dep init                               set up a new project
  dep ensure                             install the project's dependencies
  dep ensure -update                     update the locked versions of all dependencies
  dep ensure -add github.com/pkg/errors  add a dependency to the project

Use "dep help [command]" for more information about a command.
```

## 初始化

在项目根目录执行初始化命令，`dep`在初始化时会分析应用程序所需要的所有依赖包，得出依赖包清单

并生成`vendor`目录，`Gopkg.toml`、`Gopkg.lock`文件

![image](https://golang.github.io/dep/docs/assets/func-toggles.png)

### 默认初始化

```
$ dep init -v
```

直接从对应网络资源处下载

### 优先从$GOPATH初始化

```
$ dep init -gopath -v
```

该命令会先从`$GOPATH`查找既有的依赖包，若不存在则从对应网络资源处下载

### Gopkg.toml

该文件由`dep init`生成，包含管理`dep`行为的规则声明

```
required = ["github.com/user/thing/cmd/thing"]

ignored = [
  "github.com/user/project/pkgX",
  "bitbucket.org/user/project/pkgA/pkgY"
]

[metadata]
key1 = "value that convey data to other systems"
system1-data = "value that is used by a system"
system2-data = "value that is used by another system"

[[constraint]]
  # Required: the root import path of the project being constrained.
  name = "github.com/user/project"
  # Recommended: the version constraint to enforce for the project.
  # Note that only one of "branch", "version" or "revision" can be specified.
  version = "1.0.0"
  branch = "master"
  revision = "abc123"

  # Optional: an alternate location (URL or import path) for the project's source.
  source = "https://github.com/myfork/package.git"

  # Optional: metadata about the constraint or override that could be used by other independent systems
  [metadata]
  key1 = "value that convey data to other systems"
  system1-data = "value that is used by a system"
  system2-data = "value that is used by another system"
```

### Gopkg.lock

该文件由`dep ensure`和`dep init`生成，包含一个项目依赖关系图的传递完整快照，表示为一系列`[[project]]`节

```
# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.

[[projects]]
  branch = "master"
  name = "github.com/golang/protobuf"
  packages = [
    "jsonpb",
    "proto",
    "protoc-gen-go/descriptor",
    "ptypes",
    "ptypes/any",
    "ptypes/duration",
    "ptypes/struct",
    "ptypes/timestamp"
  ]
  revision = "bbd03ef6da3a115852eaf24c8a1c46aeb39aa175"
```

## 常用命令

### dep ensure

从项目中的`Gopkg.toml`和`Gopkg.lock`中分析关系图，并获取所需的依赖包

用于确保本地的关系图、锁、依赖包清单完全一致

### dep ensure -add

```
# 引入该依赖包的最新版本
dep ensure -add github.com/pkg/foo

# 引入具有特定约束（指定版本）的依赖包
dep ensure -add github.com/pkg/foo@^1.0.1
```

### dep ensure -update

将`Gopkg.lock`中的约定依赖项更新为`Gopkg.toml`允许的最新版本

## 最后

目前`dep`还在官方试验阶段，但已表示生产可安全使用

如果出现什么问题，大家可以一起留个言讨论讨论