Go at least will never run arbitrary package code as part of a go get / go build / go install.
Only the resulting binary might contain malicious code, but the build and package management part is guaranteed safe.
In addition, go installs the oldest viable version that matches constraints - dependencies are thus not only locked, but also don’t automatically update to the newest available version during relocking unless explicitly requested by the user or another dependency.
Only the resulting binary might contain malicious code, but the build and package management part is guaranteed safe.
In addition, go installs the oldest viable version that matches constraints - dependencies are thus not only locked, but also don’t automatically update to the newest available version during relocking unless explicitly requested by the user or another dependency.