Comment by Mawr
2 months ago
For Go, there are more impactful features: minimal version selection and the culture of fewer, but larger dependencies.
Your average Go project likely has 10x fewer deps than a JS project. Those deps will not get auto-updated to their latest versions either. Much lower attack surface area.
Agreed that fewer deps helps, but that’s largely downstream of Go’s mechanics. Minimal version selection annd immutability make churn abnormal, so graphs stay small. In JS ecosystems, churn is the default, so fan-out explodes.