A single line in go.mod can pull in code from a vendor you would never trust on purpose.
Your project may depend on the russian-maintained mailru/easyjson without ever choosing it, buried several levels deep in the dependency graph of popular Go libraries.
This is a real risk, because the dependencies you did not pick are the ones you never check.
In this post, I show how I found one such indirect dependency in a chain of popular libraries, and how a single prompt to Claude helped me remove it.
TL;DR: oapi-codegen depended on mailru/easyjson without asking for it directly.
The dependency came through getkin/kin-openapi, which used perimeterx/marshmallow, which used easyjson.
I asked Claude if marshmallow was really needed, it was not, and a few PRs later the dependency was gone from the whole chain.