github.com/tsenart/vegeta
★
★
★
★
★
3
reviews
80
Security
16
Quality
15
Maintenance
41
Overall
v11.4.0+incompatible
Go
Go
Aug 28, 2018
No Known Issues
This package has a good security score with no known vulnerabilities.
24900
GitHub Stars
3.7/5
Avg Rating
Community Reviews
RECOMMENDED
Solid load testing tool with excellent performance but aging API surface
Vegeta excels at sustained load generation with minimal resource overhead. The attacker pattern is straightforward - you define targets, configure rate limiting, and consume results through channels. The library handles connection pooling efficiently and maintains consistent request rates even under heavy load. Memory usage stays predictable since results stream through channels rather than accumulating in memory.
The metrics collection is comprehensive, giving you precise latency percentiles, throughput, and success rates. Error handling is transparent - you get detailed error information in results without the library panicking. The ability to export results in multiple formats (JSON, CSV, histograms) makes integration with monitoring systems straightforward.
The biggest pain point is the "+incompatible" versioning - it predates proper Go modules support. Configuration is mostly code-based rather than declarative, which means more boilerplate but also more control. Timeout behavior is configurable but defaults could be more conservative. The library doesn't include built-in retry logic, which is appropriate for load testing but worth noting.
The metrics collection is comprehensive, giving you precise latency percentiles, throughput, and success rates. Error handling is transparent - you get detailed error information in results without the library panicking. The ability to export results in multiple formats (JSON, CSV, histograms) makes integration with monitoring systems straightforward.
The biggest pain point is the "+incompatible" versioning - it predates proper Go modules support. Configuration is mostly code-based rather than declarative, which means more boilerplate but also more control. Timeout behavior is configurable but defaults could be more conservative. The library doesn't include built-in retry logic, which is appropriate for load testing but worth noting.
Exceptional resource efficiency with consistent rate limiting even at high RPS
Streaming results through channels prevents memory bloat during long test runs
Built-in metrics provide actionable latency percentiles and throughput data without external dependencies
Clean separation between target definition, attack execution, and result processing
Module versioning shows "+incompatible" due to pre-modules release, complicating dependency management
No built-in distributed testing support for overwhelming single-host network limits
Configuration requires more code compared to declarative alternatives like YAML-based tools
Best for: Programmatic load testing where you need precise control over request rates and want to process results in real-time with minimal overhead.
Avoid if: You need distributed load generation out of the box or prefer configuration-file-driven tools over programmatic APIs.
RECOMMENDED
Powerful load testing library with clean API, despite minimal docs
Vegeta is surprisingly straightforward to integrate into Go projects for load testing. The core API revolves around creating an Attacker, defining Targets, and collecting Results - a model that clicks quickly once you see a basic example. The programmatic interface mirrors the CLI tool nicely, making it easy to transition if you've used the command-line version.
Error messages are generally clear when you misconfigure rate limits or target formats, though debugging timing issues requires understanding the internal pacing mechanics. The library handles connection pooling and keep-alives intelligently by default, which saves configuration headaches. Common patterns like custom headers, body payloads, and result aggregation are clean to implement, though you'll likely reference the examples in the GitHub repo frequently since godoc coverage is sparse.
Community support exists but is thin - GitHub issues get responses eventually, and Stack Overflow has basic examples. The learning curve is moderate; you'll spend time understanding Result types and metrics calculation, but the actual attack execution is intuitive. Watch for the `+incompatible` version tag indicating non-standard module versioning.
Error messages are generally clear when you misconfigure rate limits or target formats, though debugging timing issues requires understanding the internal pacing mechanics. The library handles connection pooling and keep-alives intelligently by default, which saves configuration headaches. Common patterns like custom headers, body payloads, and result aggregation are clean to implement, though you'll likely reference the examples in the GitHub repo frequently since godoc coverage is sparse.
Community support exists but is thin - GitHub issues get responses eventually, and Stack Overflow has basic examples. The learning curve is moderate; you'll spend time understanding Result types and metrics calculation, but the actual attack execution is intuitive. Watch for the `+incompatible` version tag indicating non-standard module versioning.
Clean, intuitive API that mirrors familiar CLI tool patterns
Handles connection management and HTTP client configuration sensibly out-of-the-box
Result types provide rich metrics data that's easy to aggregate and analyze
Examples in the repository cover most common load testing scenarios effectively
Godoc documentation is minimal, forcing heavy reliance on code examples
Module versioning shows +incompatible flag indicating pre-v2 semantic import issues
Community support is limited compared to alternatives, with slower issue response times
Best for: Go developers needing programmatic HTTP load testing with fine-grained control over request patterns and metrics collection.
Avoid if: You need extensive documentation, active community support, or prefer a batteries-included framework with guided tutorials.
CAUTION
Powerful load testing library with outdated dependencies and security concerns
Vegeta provides a solid API for HTTP load testing with flexible rate control and comprehensive metrics collection. The attacker interface is intuitive, letting you build custom target lists and execute concurrent requests with fine-grained control. The JSON/binary result encoding works well for post-processing attack results.
However, the security posture is concerning. The package is marked as 'incompatible' with proper module versioning, last released in 2018, and pulls in outdated dependencies that may contain known CVEs. TLS configuration requires manual hardening - defaults don't enforce modern cipher suites or minimum TLS versions. The library doesn't validate target URLs rigorously, allowing potential SSRF vectors if you're accepting user input. Error messages can leak internal paths and connection details, requiring careful wrapping in production contexts.
For internal load testing where you control all inputs and targets, it's functional. But the stale dependency tree and lack of secure-by-default configurations make it risky for any security-sensitive context or where untrusted input touches the attack configuration.
However, the security posture is concerning. The package is marked as 'incompatible' with proper module versioning, last released in 2018, and pulls in outdated dependencies that may contain known CVEs. TLS configuration requires manual hardening - defaults don't enforce modern cipher suites or minimum TLS versions. The library doesn't validate target URLs rigorously, allowing potential SSRF vectors if you're accepting user input. Error messages can leak internal paths and connection details, requiring careful wrapping in production contexts.
For internal load testing where you control all inputs and targets, it's functional. But the stale dependency tree and lack of secure-by-default configurations make it risky for any security-sensitive context or where untrusted input touches the attack configuration.
Clean API for programmatic load test construction with precise rate limiting controls
Comprehensive metrics collection including latency histograms and success rates
Flexible target definition supporting custom headers, bodies, and HTTP methods
Abandoned since 2018 with incompatible module versioning and outdated dependency tree
TLS defaults don't enforce modern security standards, requiring manual cipher suite configuration
Minimal input validation on URLs and targets creates SSRF risks if accepting external input
Best for: Internal load testing of controlled endpoints where you manage all attack parameters and accept dependency maintenance burden.
Avoid if: You need actively maintained dependencies, secure-by-default TLS, or plan to accept any form of user-provided target configuration.
Write a Review
Sign in to write a review
Sign In