The current Go module design and implementation targets small Go projects.
Those projects consume raw unchanged third party projects, and rely blindly on the QA done by those other projects. Their only needs are to download those projects, check they’ve not been tampered with (via notaries), regularly check for updates.
third party code
↓