it is obvious that you haven't worked with go for a long time because for some years now go.mod files show you literally every import, both the ones named in your sources in the repo, plus all the ones that are named in the ones you imported (go mod tool puts `// indirect` after them)
and i concur with your opinion about the thoughtless use of packages without considering this, i'm obsessive about how long the list of imports in my go.mod gets, and when i see repeating ones i get stressed
this is why i put my "nostrbench" package in a completely separate repo from my code because i don't want it polluted with fiatjaf's infinity imports, and all the crazy versions
this is also why i have reworked the entire btcec library to eliminate, for one thing, the decred dependency, and i've mostly also removed its dependency on blake hash library except for a few tests that i have to regenerate vectors for
the go standard library itself has a lot of things but some things are glaringly missing, and especially when it comes to go's crazy immutable strings, the amount of memory garbage these throw off is mindboggling - the more complex your application, and the longer it runs for, the more likely you are to run into GC hell with high CPU usage and reduced latency after a certain amount of time, and even worse if you are spawning coroutines for each network connection and those damn connections never drop (this is a problem with the design of nostr websocket subscriptions, and there is no specification about what constitutes an expected time to drop a subscription beyond exceeding the configured limit field in filters)
i am not overtly conscious of the fact that huge long go.mod files could be a security problem but now you point it out, yes, this is another reason, but my primary reason to not want that is to not fill my disk with useless, often unnecessarily redundant crap, it clogs the disk, for a start, and then in the actual binary, it means several pieces of code do the same thing in different parts, this annoys the piss out of me also, and it's more memory that is going to waste, and then on top, very often the entire architecture of the different components is not in line with my architecture and all my efforts to maintain sane memory usage are defeated by some stupid import of an import of an import