According to https://github.com/golang/dep/blob/master/docs/FAQ.md#should-i-commit-my-vendor-directory, the pros and cons are:
Pros: - Only way to get truly reproducible builds - Don't need to `dep ensure` (or whatever your tool is) every time you check out or merge/pull Cons: - PR vendor diffs (although apparently "suppressed" by GitHub, according to the dep FAQ) - Bigger repository size I've argued successfully in the past for projects to check in their dependencies. For a current project, though, someone has counter-argued that some of the dependencies are just too large (like k8s.io/* packages), with too much churn, to check in, and I can see their point. When a dependency update can add 5+ MB, that's a pretty steep price. Is there consensus yet on whether or when to check in dependencies? -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.