This is going to be interesting for the go-guys, since a lot of go package management is built around git clones. It's probably fine for things hosted on gitlab, github or bitbucket, and then you missed that one sneaky little dependency stabbing you in the back.
Why is it more interesting for the go packaging situation? As far as I'm aware, most packaging systems run scripts from inside the packages anyway. If you're running the packages' scripts, being vulnerable to this is a side-note. You have to trust the packagers anyway.
