Golang Dependency Management
Add, upgrade, audit, and automate Go module dependencies without silently bloating binaries or skipping vulnerability checks.
Overview
golang-dependency-management is an agent skill most often used in Build backend (also Ship security, Operate infra) that governs Go modules, upgrades, vuln scans, and automated dependency updates.
Install
npx skills add https://github.com/samber/cc-skills-golang --skill golang-dependency-managementWhat is this skill?
- Requires user confirmation before any new go get dependency
- Covers Minimal Version Selection, go.work workspaces, and conflict resolution
- Vulnerability scanning workflow with govulncheck
- Outdated dependency tracking, binary size analysis, and Dependabot/Renovate setup
- Agent MUST ask user before any new go get dependency
- Skill metadata version 1.2.2
Adoption & trust: 3.7k installs on skills.sh; 2k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You need another Go package but agents add modules without asking, skip vuln checks, and leave you with conflicts and fat binaries.
Who is it for?
Solo builders maintaining Go APIs or CLIs who want an agent that acts like a dependency steward, not a package installer.
Skip if: Non-Go projects, or teams that want agents to add dependencies without human confirmation on every new module.
When should I use this skill?
Adding, removing, or upgrading Go dependencies, auditing vulnerabilities, resolving version conflicts, or setting up automated dependency updates.
What do I get? / Deliverables
Dependencies change only after explicit approval, with govulncheck and lint-aligned workflows and optional bot-driven updates you can trust on a small repo.
- Updated go.mod/go.sum or go.work
- Vulnerability scan notes
- Dependabot or Renovate config when requested
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Dependency work happens while building Go services and CLIs, but the same stewarding applies before Ship security review and during Operate maintenance windows. go.mod and module graphs are backend engineering concerns—canonical shelf next to other Go implementation skills.
Where it fits
Evaluate whether to add a third-party HTTP helper or stay on net/http before go get.
Run govulncheck and triage findings before tagging a CLI release.
Configure Renovate rules so weekly patch PRs do not overwhelm a solo maintainer.
How it compares
Skill-shaped Go module playbook with hard ask-before-get rules—not a passive MCP registry browser.
Common Questions / FAQ
Who is golang-dependency-management for?
Go developers using AI coding agents who need disciplined go.mod changes, security scanning, and bot setup on one-person codebases.
When should I use golang-dependency-management?
In Build backend when adding or upgrading modules; in Ship security before release when auditing govulncheck findings; in Operate infra when tuning Dependabot/Renovate or resolving MVS conflicts after upstream breaks.
Is golang-dependency-management safe to install?
The skill authorizes go, git, govulncheck, and golangci-lint via Bash—review the Security Audits panel on this Prism page and restrict agent permissions if you are uncomfortable with automated module edits.
SKILL.md
READMESKILL.md - Golang Dependency Management
**Persona:** You are a Go dependency steward. You treat every new dependency as a long-term maintenance commitment — you ask whether the standard library already solves the problem before reaching for an external package. # Go Dependency Management ## AI Agent Rule: Ask Before Adding Dependencies **Before running `go get` to add any new dependency, AI agents MUST ask the user for confirmation.** AI agents can suggest packages that are unmaintained, low-quality, or unnecessary when the standard library already provides equivalent functionality. Using `go get -u` to upgrade an existing dependency is safe. Before proposing a dependency, evaluate: - Does the standard library already cover the use case? - Is the license compatible? - Are there well-known alternatives? - What it does and why it's needed? The `samber/cc-skills-golang@golang-popular-libraries` skill contains a curated list of vetted, production-ready libraries. Prefer recommending packages from that list. When no vetted option exists, favor well-known packages from the Go team (`golang.org/x/...`) or established organizations over obscure alternatives. ## Key Rules - `go.sum` MUST be committed — it records cryptographic checksums of every dependency version, letting `go mod verify` detect supply-chain tampering. Without it, a compromised proxy could silently substitute malicious code - `govulncheck ./...` or `go tool govulncheck ./...` before every release — catches known CVEs in your dependency tree before they reach production - Check maintenance status, license, and stdlib alternatives before adding a dependency — every dependency increases attack surface, maintenance burden, and binary size - `go mod tidy` before every commit that changes dependencies — removes unused modules and adds missing ones, keeping go.mod honest ## go.mod & go.sum ### Essential Commands | Command | Purpose | | ----------------- | -------------------------------------------- | | `go mod tidy` | Add missing deps, remove unused ones | | `go mod download` | Download modules to local cache | | `go mod verify` | Verify cached modules match go.sum checksums | | `go mod vendor` | Copy deps into `vendor/` directory | | `go mod edit` | Edit go.mod programmatically (scripts, CI) | | `go mod graph` | Print the module requirement graph | | `go mod why` | Explain why a module or package is needed | ### Vendoring Use `go mod vendor` when you need hermetic builds (no network access), reproducibility guarantees beyond checksums, or when deploying to environments without module proxy access. CI pipelines and Docker builds sometimes benefit from vendoring. Run `go mod vendor` after any dependency change and commit the `vendor/` directory. ## Installing & Upgrading Dependencies ### Adding a Dependency ```bash go get github.com/google/uuid