Github official npm?

Is GitHub the official npm for go modules? I mean, how do I trust a github module ‘blindly’ even if the source is open ? Not everyone is going to read the code.

cmd\main\routes.go:9:2: missing go.sum entry for module providing package github.com/go-chi/chi; to add:
        go mod download github.com/go-chi/chi

In go there is no central package repository, any git hosting platform can be used with a bit of configuration.

And as the go.sum file might jump “randomly” on each added dependency, I think it is indeed expected to blindly trust.

1 Like

Well, one of the great things about Go projects is: they tend to have far fewer dependencies than many other ecosystems I’ve worked in. I work with people who don’t let non-reviewed code into their projects (it’s always a risk to security, though a generally accepted one). Check out go mod vendor if you want to know more.

1 Like