Opensource

A single line in go.mod can pull in code from a vendor you would never trust on purpose. Your project may depend on the russian-maintained mailru/easyjson without ever choosing it, buried several levels deep in the dependency graph of popular Go libraries.

This is a real risk, because the dependencies you did not pick are the ones you never check.

In this post, I show how I found one such indirect dependency in a chain of popular libraries, and how a single prompt to Claude helped me remove it.

TL;DR: oapi-codegen depended on mailru/easyjson without asking for it directly. The dependency came through getkin/kin-openapi, which used perimeterx/marshmallow, which used easyjson. I asked Claude if marshmallow was really needed, it was not, and a few PRs later the dependency was gone from the whole chain.

Recently, I learned that %#q in the fmt package wraps a string in backquotes. Unlike plain %q, which adds double quotes ", the # flag switches to backquotes `.

This little discovery led me to extend a go-critic check that didn’t know about it.

Have you found bugs in tools that you are using? Recently, while working on some google/go-github issues, I discovered a panic in go run. It happened when I forgot to provide an argument to the -C flag.

This article explains how I found and fixed the bug in go run -C and go install -C, added tests to prevent future regressions, and how my fix was successfully accepted into the Go repository.

How can a simple contribution to a library impact thousands of programs around the world? And why will this change become obsolete after the Go 1.26 release? These and a few other questions I’ll answer in detail in this post.

TL;DR: I replaced four helper functions (String, Bool, Int, Int64) with a single generic Ptr[T] function in google/go-github , affecting 10K+ projects. Ironically, Go 1.26’s enhanced new builtin will make this pattern unnecessary.

Golangci-lint v2 was released in March 2025 , bringing major architectural improvements and a cleaner configuration format. Despite being available for over seven months, adoption remains low.

If you are maintaining a Go project, now is the time to upgrade. This article covers why you should make the switch and provides a step-by-step walkthrough using a real-world project.

I use GitHub’s dark theme daily. Sometimes I see README images that are unreadable on the dark theme even though they look fine on the light theme. For example, the etcd repo logo:

In this article, I show how to fix this visibility issue using GitHub’s Markdown syntax.

I accidentally discovered malicious programs in the Go ecosystem that impersonate legitimate tools such as the linter ldez/usetesting , the HCL editor go.mercari.io/hcledit , the official MailerSend Go SDK mailersend/mailersend-go , and many more. These programs are not very popular but are still used by some developers. By the time I wrote this article, I had reported the malicious repositories to GitHub support, and most of them have been deleted.

In this post, I show that contributing to Go repositories is as simple as contributing to any other open-source repo. This is a step-by-step guide to contributing to Go repositories. As an example, I use the main Go repository go.googlesource.com/go .

I’m a top-3 contributor on Hacktoberfest 2023 at EPAM. See the article that recognizes me.

In this blog post, I will answer the question of how to enrich GitHub statistics to improve your job prospects by enriching your GitHub contribution graph.