Managing external dependencies¶
Go¶
Go dependencies are managed as Go modules.
Dependencies are controlled by the go.mod
file, and cryptographic hashes of
the dependencies are stored in the go.sum
file.
When building with Bazel, all external dependencies are managed as “remote
repositories” defined in the WORKSPACE
.
In our WORKSPACE
file, we load the file go_deps.bzl
which lists all
external dependencies (including transitive dependencies) with exact version
and hash.
This go_deps.bzl
file is generated by gazelle from the go.mod
file.
Workflow to modify dependencies¶
To add/remove or update dependencies:
- Modify
go.mod
, manually or using e.g.go get
. go mod tidy
make go_deps.bzl
make licenses
, to update the licenses with the new dependencymake gazelle
, to update the build files that depend on the newly added dependency
Warning
The Go rules for Bazel (rules_go) declare some internally used dependencies.
These may silently shadow the dependency versions declared in
go_deps.bzl
.
To explicitly override such a dependency version, the corresponding
go_repository
rule can be moved from go_deps.bzl
to the
WORKSPACE
file, before the call to go_rules_dependencies
.
See the go_rules documentation on overriding dependencies.
Python¶
The python dependencies are listed in a requirements.txt
file.
This file is generated from the adjoining requirements.in
by pip-compile. Only direct dependencies have to be
listed, the transitive dependencies are inferred by pip-compile
.
The exact command to update requirements.txt
is described in a comment in
the header of the file.