Why Switch to Go Module Proxy and Ditch the Vendor Directory?

Problems with the vendor directory

The vendor directory is no longer the default for go commands; it must be enabled explicitly with -mod=vendor.

It adds significant size to the repository, slowing clone operations and CI/CD pipelines.

Reviewing changes in vendor is cumbersome because the vendored code is tightly coupled with business logic.

Issues when the vendor directory is not used

go

attempts to download modules directly from their source repositories, which may be deleted or become unavailable.

Version‑control services (e.g., GitHub) can experience outages, breaking builds that rely on direct VCS access.

Isolated internal networks that lack internet access cannot fetch modules without a proxy.

Malicious actors could publish a compromised version of a module; storing go.sum alongside go.mod mitigates this risk.

Some dependencies use VCS systems other than Git (Mercurial, Bazaar, Subversion), requiring additional tools. go get must download each dependency’s source to resolve transitive dependencies, performing a git clone for every repository and slowing builds.

Solution: Use a Go module proxy

Setting the GOPROXY environment variable directs the Go toolchain to fetch modules from a proxy instead of contacting the original VCS directly. This eliminates the need for a vendor directory.

Benefits of a Go module proxy

Proxies cache and permanently store every module version in immutable storage, guaranteeing availability even if the upstream source disappears.

Repository size is reduced because vendored code is no longer committed.

Immutable storage prevents version‑replacement attacks.

No VCS tools are required at build time; modules are retrieved over HTTP.

Official benchmarks show build times improve by 3–6×.

Running a private proxy gives organizations fine‑grained control over build‑pipeline stability.

Configuring GOPROXY

Assign GOPROXY according to the desired behavior:

GOPROXY=""
GOPROXY=direct

Disable all network access (useful for reproducible offline builds):

GOPROXY=off

Public proxy examples

GOPROXY=https://proxy.golang.org   # official Google proxy (blocked in mainland China)
GOPROXY=https://goproxy.io          # community‑run proxy
GOPROXY=https://goproxy.cn          # China‑friendly proxy hosted on Qiniu

Self‑hosted proxy implementations

Athens – https://github.com/gomods/athens goproxy – https://github.com/goproxy/goproxy THUMBAI –

https://thumbai.app/

Commercial proxy solutions

Artifactory –

https://jfrog.com/artifactory/

Alternative: local file proxy

A file:/// URL can point to a directory on the local filesystem that contains a module cache.

Changes introduced in Go 1.13

GOPROXY

can be a comma‑separated list; the tool tries each entry in order until one succeeds.

The default value is https://proxy.golang.org,direct; entries after direct are ignored.

The new GOPRIVATE variable allows private module paths to bypass the proxy, useful for internal corporate modules.

References

Go Modules Wiki: https://github.com/golang/go/wiki/Modules Official Go proxy:

https://proxy.golang.org/