gomod-age: A Simple CI Gate Against Go Dependency Supply Chain Attacks

The Problem Nobody Talks About Until It's Too Late Here's a scenario that keeps Go developers up at night: someone publishes a malicious package to a module proxy, and your CI pipeline happily pulls it in on the next go mod tidy. The package is minutes old, has zero adoption, and contains a backdoor. Your tests pass. Your linter is green. You ship it to production. This isn't hypothetical. Supply chain attacks targeting package registries have been climbing year over year. The event-