[pjjpo]

I don't know of anyone accessing a database like Postgres with just the stdlib in real apps. Or maybe the API is just serving data out of a JSON file checked in the repo?

I agree the stdlib is great but the reality is production apps cannot be built using only it.

Most codebases have dependencies. Most accept dependency updates from renovate etc without much thought. Go can remain secure if goproxy has thorough security scans (I think they do but am not sure if it's unbeatable) and if the fact that any attack will be in OSS code itself, rather than packaged just-in-time in a workflow, makes it visible before significant damage. I have no idea if the latter is true but it might be. Of course NPM packages are just as visible as long as someone is scanning them so maybe not.