Hello fellow Gophers!I help maintain an SDK module that includes packages that provide middleware to different web frameworks (e.g. echo).The SDK started out as a single module in a Git repository, and we have considered and hesitated splitting it into multiple modules in a single repository because of the implications that it has on maintenance, development, testing and release processes.The root package implements the core functionality of the SDK and has no external dependencies, it only needs the standard library. That's what most people need. The other packages each depend on a web framework module, and downstream users typically only need to use one of those packages and do not want to bother about the others.The current `/go.mod` file is littered with dependencies to many web frameworks and their dependencies, and that has caused problems and confusion to our downstream users, especially when one of those dependencies end up flagged by tools like Dependabot as containing a CVE. (Code security scanners seem to typically operate on the Go module level and not at the package level, so they often report problems even though the affected module/package is not part of the final build list of the main package.)
I've been trying to find a way to eliminate the problems of the current single-module-per-repo setup while avoiding the implications of going multi-module-per-repo, as we have limited resources to maintain the SDK.The recent idea I had was to simply omit `require` entries in the `/go.mod` file, essentially making the module "untidy" (as in `go mod tidy` would re-introduce the missing requires), but I haven't found any mention to that approach on the Internet.
I'm a user of the sentry-go SDK who has been impacted by the large number of dependencies in the past.>Independently, if your users have automated tools that are issuing false-positive CVE warnings based on the module graph instead of the package-import graph, you may want to suggest that they file issues against those tools.Does using the package-import graph capture the full picture of how a module impacts importers of the module.
My understanding – maybe incorrect or out-dated – is that importing a module still brings that modules complete dependency graph into the dependency resolution process. Anyone using dependencies imported will be limited by the minimum versions defined in sentry-go SDK or any transitive dependency through sentry-go. Even if their go.mod is simpler on the surface, an SDK with a large and far reaching dependency graph can still impact other projects.
Bryan, is there a good example of how to use the go tool to provide details of the package-import graph? I would normally use go mod graph and go mod why which as I understand both are limited to the module graph.