gomod-age: A Simple CI Gate Against Go Dependency Supply Chain Attacks

The Problem Nobody Talks About Until It's Too Late Here's a scenario that keeps Go developers up at night: someone publishes a malicious package to a module proxy, and your CI pipeline happily pulls it in on the next go mod tidy . The package is minutes old, has zero adoption, and contains a backdoor. Your tests pass. Your linter is green. You ship it to production. This isn't hypothetical. Supply chain attacks targeting package registries have been climbing year over year. The event-stream incident in npm, the ua-parser-js hijack, the colors.js sabotage — these are well-known cases, but the Go ecosystem isn't immune. Typosquatting, account takeovers, and dependency confusion attacks all apply. Most teams rely on go.sum for integrity checks and GOPRIVATE for internal modules. That covers "did the bits change?" but not "should we trust this release at all?" There's a gap between a version being published and a version being safe to consume. Nothing in the standard Go toolchain guards th