deps.dev does an absolutely terrible job with Go dependencies. It thinks modules are the unit of dependency rather than packages. Consequentially, it reports vulnerabilities in packages that are never even imported. For example, <a href="https://deps.dev/go/filippo.io%2Fsunlight" rel="nofollow">https://deps.dev/go/filippo.io%2Fsunlight</a> shows a "9.1 CRITICAL" vulnerability in a supposed SSH dependency from a project that has nothing to do with SSH.<p>Google ought to be embarrassed by this, especially when govulncheck <<a href="https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck" rel="nofollow">https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck</a>> exists and actually checks whether vulnerable code is reachable.