Is GitHub the official npm for go modules? I mean, how do I trust a github module ‘blindly’ even if the source is open ? Not everyone is going to read the code.
cmd\main\routes.go:9:2: missing go.sum entry for module providing package github.com/go-chi/chi; to add:
go mod download github.com/go-chi/chi
In go there is no central package repository, any git hosting platform can be used with a bit of configuration.
And as the go.sum file might jump “randomly” on each added dependency, I think it is indeed expected to blindly trust.
Well, one of the great things about Go projects is: they tend to have far fewer dependencies than many other ecosystems I’ve worked in. I work with people who don’t let non-reviewed code into their projects (it’s always a risk to security, though a generally accepted one). Check out go mod vendor if you want to know more.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.