The dep
tool’s FAQ answers this:
Should I commit my vendor directory?
It’s up to you:
Pros
- It’s the only way to get truly reproducible builds, as it guards
against upstream renames, deletes and commit history overwrites.- You don’t need an extra
dep ensure
step to syncvendor/
with
Gopkg.lock
after most operations, such as go get, cloning, getting
latest, merging, etc.Cons
- Your repo will be bigger, potentially a lot bigger, though prune can help minimize this problem.
- PR diffs will include changes for files under
vendor/
whenGopkg.lock
is modified, however files invendor/
are hidden by default on GitHub.