With a near-endless list of Go Modules, it can be overwhelming trying to decide which is best for your Go build. For new Go developers, it can be difficult to pick a winner for your specific use case.

This phenomenon is nothing new. In fact, it’s one of the reasons why open-source is such a godsend to developers. Oftentimes, when a module is published by a developer, it was likely developed to solve a specific problem that they are facing. If another developer were to use their module to solve the same problem, there may be some performance criteria needed within that module that the current version does not meet. Luckily, there are often many versions of Go Modules to choose from that can solve different use cases.

The more use cases there are for a module, the more complex it becomes when trying to find the one that is best for your specific use case. Even after you feel that you’ve found the correct module for your build, how can you be sure? Let’s discuss some of the parameters you should consider before deciding on a Go Module and show you how to increase the odds of picking the right module for you!

Choosing a Go Module: What’s Important

There are a plethora of great options available when choosing your Go Module and dwindling that list can be a simple task when considering three fundamental parameters:

• Module Popularity - How widely used a module is
• Module References - The attribution of the module
• Module Compliance - The level of security within that module and its dependencies

Each of these factors is heavily important when choosing a Go Module, as each will have a direct effect on the success of your build. For each parameter, we’ll show an example of a module within GoCenter, a free repository for versioned Go Modules.

Module Popularity

When choosing your Go Module, it’s important that the desired module has been adopted and used by others. A module that has been used by many other developers has a higher likelihood of solving the intended issue; there is also a likelihood that developers are still using the module, ensuring that it’s consistently being updated. There are 2 effective ways to check a module's popularity.

One of the most useful ways for developers to measure the popularity of a module is by looking at the amount of Github stars that it has received. Another alternative for checking a module’s popularity is by checking the number of times that it’s been downloaded by others. These are both tested and proven methods for choosing a module for any programming language. Since Go is a relatively new programming language, the number of downloads may not always reflect the popularity of the module especially if the module is new. If this is the case, It’s recommended that you look at the number of contributors as well. A popular module with a high number of Github stars, downloads (if applicable) and contributors means that you’ll have a higher chance that the module is the right fit for your build.

Here, you see an example of a popular Go module, Aws-sdk-go. It has 5,790 stars and 452,277 downloads, meaning that thousands of developers have used this module and can verify that it’s safe, reliable and has a version that has solved their specific use case. It also has 222 contributors, assuring that many people have used and developed other versions of the module to fit their use case:

Module References

Checking a module’s references is another effective way to be sure that you’re choosing the right module for your build. It provides insight into the dependents of that module, which can be used to discover which other modules are using the module that you’re interested in consuming. By referencing the modules that use your desired module, you may notice that large-scale corporations use that module, meaning that it is more likely to be secure and usable.

For example, below we have the dependent information of the AWS module. Taking a glance, there is no negative information found on this module. The “Used By” tab shows which modules are using the module you want to consume. Below, we see that this module is being used by an enterprise, almost ensuring that the module is secure.

Module Compliance

As the consumption of publicly shared code/modules increases, developers and organizations need a way to check if the module in question is safe enough to consume. When we reference safety, it’s all about the security of the modules and the vulnerabilities that are present. The example below is of a module with two security vulnerabilities, meaning that this module can be risky to consume:

The best compliance practices include choosing modules without vulnerabilities. While this is a no-brainer, sometimes finding a module without vulnerabilities can be impossible. If you’re using a module that has a vulnerability or two, check how frequently the module is being updated. If the same security issue persists for the last 4-5 versions, the author of the module may not be making any updates or any attempts at mitigating the issue. This ultimately means that you’ll need to look for another module to use, or you’ll need to build the one that works best for you! I never recommend using a vulnerable module.

Now Take your Pick!

When choosing a Go module, it can be difficult to pick a winner. There are many parameters that ultimately affect the decision-making process and oftentimes, it can depend solely on a matter of preference. Be sure to consistently check the popularity, references and the compliance of the modules that you’re considering before consuming them.

Originally published at https://jfrog.com/blog/how-to-pick-a-winning-go-module/