I forgot that even though fmt will never suffer from middle man attacks downloading the Go toolchain, the standard library already covers 100% of the uses cases someone cares about using Go for, and no one is using CGO.
I used to use CGO quite a lot in linux-embedded environment.
And we had huge dependency chains as well to non-standard library stuff, nowhere near as bad as an average nodejs project but still not free from the problem.
