It is an explicit security design goal of the Go toolchain that neither fetching nor building code will let that code execute, even if it is untrusted.

Check more stories related to programming at: https://hackernoon.com/c/programming.

You can also check exclusive content about #go, #golang, #supply-chain, #supply-chain-attacks, #version-control-system, #go-for-beginners, #go-guide, #golang-safety, and more.

This story was written by: @Go. Learn more about this writer by checking @Go's about page,

and for more stories, please visit hackernoon.com.

All together this means it’s possible to build rich, complex applications with just a handful of dependencies. No matter how good the tooling is, it can’t eliminate the risk involved in reusing code, so the strongest mitigation will always be a small dependency tree.