Go didn't even have versioning for dependencies for ages, so CVE reporting was a disaster.

And there's plenty of libraries you'll have to pull to get a viable product.