Is GitHub the official
npm for go modules? I mean, how do I trust a github module ‘blindly’ even if the source is open ? Not everyone is going to read the code.
cmd\main\routes.go:9:2: missing go.sum entry for module providing package github.com/go-chi/chi; to add:
go mod download github.com/go-chi/chi
In go there is no central package repository, any git hosting platform can be used with a bit of configuration.
And as the
go.sum file might jump “randomly” on each added dependency, I think it is indeed expected to blindly trust.
Well, one of the great things about Go projects is: they tend to have far fewer dependencies than many other ecosystems I’ve worked in. I work with people who don’t let non-reviewed code into their projects (it’s always a risk to security, though a generally accepted one). Check out go mod vendor if you want to know more.