Consider defining new module in `example` package

Question

Consider defining new module in `example` package

Closed this issue 2 years ago · 1 comments

Given the current way Go modules work, defining the example packages causes consumers of this library to record dependencies of the example package in their go.sum files, where they can be discovered by security scanners and dependency analyzers. These dependencies are not used by the importable packages of the library and many of them may not even be used by the example package.

I'll need to do more research, but I believe by defining a go.mod file in the example directory we can exclude it (and its dependencies) from the dependency graph of the primary module without causing any issues for maintenance or consumers (since you can't import the example package.)

Answer 1 · 2021-12-14T16:19:40.000Z

Yes, defining example as its own module will exclude it from the primary module. Only thing to flag is that, in this scenario, you will probably want to set up CI to run all checks in the example module as well (since building/checking the main module will no longer cover anything in the example module).