I took a decidedly minimalist dependency stance a while ago, and I’m glad about it. It’s hard; you also don’t want to be writing bespoke libraries for everything, but what really got me on this kick was viper and cobra. Using cobra adds 32,400 LOC to your project. To parse flags. 19,600 of those are in cobra’s dependencies, which - of course, you also have to vet.

Especially when I’m writing libraries myself, I go to fairly extreme lengths to have an empty go.mod; at least my users only have to audit my project, and not some branching nest of dependencies.

Interesting that it sounds like it is immediately overwriting the whole primary drive rather than trying to exfiltrate any data (or anything else) first