Consider defining new module in `example` package
Closed this issue · 1 comments
Given the current way Go modules work, defining the example
packages causes consumers of this library to record dependencies of the example
package in their go.sum
files, where they can be discovered by security scanners and dependency analyzers. These dependencies are not used by the importable packages of the library and many of them may not even be used by the example
package.
I'll need to do more research, but I believe by defining a go.mod
file in the example
directory we can exclude it (and its dependencies) from the dependency graph of the primary module without causing any issues for maintenance or consumers (since you can't import the example
package.)
Yes, defining example
as its own module will exclude it from the primary module. Only thing to flag is that, in this scenario, you will probably want to set up CI to run all checks in the example
module as well (since building/checking the main module will no longer cover anything in the example module).