In the case where some rarely used feature is exploitable via some misconfiguration.

See also: log4j

This is the thing. Is all of that 105MB vs 2MB of stuff the devs actually know exactly what it is and why it's there? As others have stated, the dependancy fluff is just a multitude of footguns cocked, locked, and ready to rock your world

But how? I've got prometheus running in its own, non-root account. That makes exploiting vulnerabilities nearly useless, unless you can find a way to get it to spawn a process which can sudo. It runs behind nginx, which has a simple name/pwd protection on it. That makes it very hard to exploit. And prometheus only runs on one server; the others run node_exporter, or publish app data.

What am I missing?

You described multiple layers of security. Removing dependencies and stripping down code is the same: another layer of security.

> What am I missing?

If I knew, it would have a CVE number.

However, the less code you have, the fewer the places there are where you need to ask that question.

None, but it's an interesting case study of a widespread concern (not necessarily problem)

I don't think anyone cares. They could make the binary 15kb, no one would notice. Most of the times runs inside a pod that will feature a 500+ MB operating system anyway...

Go applications can be built into static self-contained binaries, which don't need extra dependencies. These binaries can run inside `scratch` Docker container, which doesn't take additional space. So it is easy to create small Docker images (less than 10Mb) with such binaries. See, for example, the following article - https://valyala.medium.com/stripping-dependency-bloat-in-vic...

They would notice on their Kubernetes storage accounting.

Ah no :-P