All true, but regarding #1: the size of the go.sum and all the indirect deps in the go.mod are also telling me a lot already :)

Is vendoring really going to help? Vendor or not, you need to review your deps’ code.

Go’s go.sum should already protect against malicious changes in upstream packages, no?

I must be an old, boring fart, but when I see blog posts with emoji spam in every single paragraph, I feel pandered to. It reads like an MLM post on Facebook about being your own GirlBoss.