go-dependency-audit checks Go module dependency ages and fails when modules are newer than a configured minimum age.
- Checks dependency publish time via GOPROXY
- Supports direct-only or full dependency checks (including indirect)
- Handles
replacedirectives - Supports ignore patterns (GOPRIVATE-style)
- Supports explicit allow-list entries for specific
module@version - Supports JSON and human-readable output
- Supports diff mode against a git base ref (
--base)
- Go 1.24+
- A project with
go.mod
Build locally:
go build -o go-dependency-audit .Run without installing:
go run .Run in a Go module directory:
go-dependency-audit [flags]Check all direct dependencies:
go-dependency-auditCheck with minimum age of 7 days:
go-dependency-audit --age 7dInclude indirect dependencies:
go-dependency-audit --indirectIgnore internal modules:
go-dependency-audit --ignore "github.com/myorg/*"Output JSON:
go-dependency-audit --jsonCheck only dependencies changed from main:
go-dependency-audit --base main--configpath to config file (default:.go-dependency-audit.json)--ageminimum release age (examples:3d,72h)--indirectinclude indirect dependencies--ignorecomma-separated module patterns to ignore--jsonoutput JSON format--concurrencynumber of concurrent proxy queries--basegit ref for diff-based checks (for examplemain,HEAD~1)
Default config file name:
.go-dependency-audit.json
Example:
{
"age": "7d",
"indirect": false,
"ignore": ["github.com/myorg/*"],
"json": false,
"concurrency": 10,
"allow": [
{
"module": "github.com/new-lib/foo",
"version": "v1.2.0",
"reason": "reviewed in PR #42"
}
]
}Entries in allow skip the age check for an exact module@version pair.
0: success (all checked modules pass)1: policy violation (one or more modules are too new)2: runtime/configuration error
The repository includes GitHub Actions workflows for:
- lint/test (
go vet,go test -race) - build
- tagged releases via GoReleaser