GitHub dependabot could have been a genuinely useful security alerting tool but instead I assume every email it sends me about my go projects is irrelevant because it targeted some super large package like x/sys or x/net, with no check that the impacted code is reachable.

This is silly! Go has tooling to do exactly this and instead we are stuck with the "Nessus pentest report" of dependency tools. Mostly useless and harmful because of instant alert fatigue.