With oapi-codegen, as many other folks in the ecosystem, we've been asked a few times in the past "can you please update this dependency as it has a CVE". I'll generally reach for govulncheck as a way to confirm the impact, given it validates - via static analysis - whether the dependency is actually called as part of your operation (sometimes known as "reachability"). Although we're still working towards defining when dependencies with CVEs will be updated, this is a step towards being able ...
