Hi, I maintain two go ports and I’ve recently started using govulncheck for other go projects (there’s a PR to commit govulncheck to ports).
govulncheck checks all dependencies of a go project against the vulnerability database at https://vuln.go.dev/ and warns if your code is calling vulnerable code. Would it be advisable to add test code to go projects to always call govulncheck? It would add a TEST_DEPENDS on govulncheck (which hasn’t been committed yet) and it calls the vuln db at google. Thoughts? .einar
