Managing external dependencies
Go
Go dependencies are managed as Go modules.
Dependencies are controlled by the go.mod file, and cryptographic hashes of
the dependencies are stored in the go.sum file.
When building with Bazel, all external dependencies are managed as “remote
repositories” defined in the WORKSPACE.
In our WORKSPACE file, we load the file go_deps.bzl which lists all
external dependencies (including transitive dependencies) with exact version
and hash.
This go_deps.bzl file is generated by gazelle from the go.mod file.
Workflow to modify dependencies
To add/remove or update dependencies:
Modify
go.mod, manually or using e.g.go get.make go-mod-tidymake go_deps.bzlmake licenses, to update the licenses with the new dependencymake gazelle, to update the build files that depend on the newly added dependency
Warning
The Go rules for Bazel (rules_go) declare some internally used dependencies.
These may silently shadow the dependency versions declared in
go_deps.bzl.
To explicitly override such a dependency version, the corresponding
go_repository rule can be moved from go_deps.bzl to the
WORKSPACE file, before the call to go_rules_dependencies.
See the go_rules documentation on overriding dependencies.
Python
The python dependencies are listed in requirements.txt files. They are generated with bazel from the
adjoining requirements.in files.
The python dependencies are listed in tools/env/pip3/requirements.txt
and tools/lint/python/requirements.txt.
These files is generated from the adjoining requirements.in by bazel. Only
direct dependencies have to be listed, the transitive dependencies are inferred.
The exact command to update requirements.txt is described in a comment in
the header of the file.