Be Paranoid About Your Third Party Dependencies

With any programming language and its ecosystem, developers need to be judicious about the third-party dependencies they bring in. Go is no different, though it can be sometimes be astonishing how simple it is for a third-party package to wreak havoc with your program.

Case in point:

In Go, it’s a common practice to represent errors as variables using the following syntax:

package foo

import errors

var ErrFoo = errors.New("foo error")

The above code creates an error type called ErrFoo. Following Go convention, since the variable name is capitalized, it will be exported outside of its package and available to other packages that want to reference it.

One quirk of Go is that these error variables defined in this manner are modifiable. So another unrelated package can change the value of ErrFoo to something else.

Continue reading “Be Paranoid About Your Third Party Dependencies”