The dep tool’s FAQ answers this:
Should I commit my vendor directory?
It’s up to you:
Pros
- It’s the only way to get truly reproducible builds, as it guards
against upstream renames, deletes and commit history overwrites.- You don’t need an extra
dep ensurestep to syncvendor/with
Gopkg.lockafter most operations, such as go get, cloning, getting
latest, merging, etc.Cons
- Your repo will be bigger, potentially a lot bigger, though prune can help minimize this problem.
- PR diffs will include changes for files under
vendor/whenGopkg.lockis modified, however files invendor/are hidden by default on GitHub.