[spbuilds]

The transitive dependency case is what makes this painful in practice. You’re not even choosing that library it’s three levels deep in your dependency tree, and suddenly CI fails because some maintainer ran `go get go@latest` on a Saturday.

[dolmen]

That's not how that works in the Go ecosystem: you don't get that dependency upgrade unless you explicitly upgrade the dependencies of your project. The Go toolchain uses the "Minimum Version Selection" algorithm.

https://research.swtch.com/vgo-mvs