Comment 6 for bug 2045552

Basically what you want to do is filterdiff -p1 -x vendor/ such that you only diff the nullboot stuff and the list of dependencies in go.mod.

Unfortunately policy requires us to vendorize the Go dependencies, and we need to keep those dependencies up to date such that security is happy. There is no way to backport individual fixes in dependencies. This is virtually the same for all Go projects.

But the entire vendor/ directory is automatically generated at git export time by go mod vendor (using a pre-export hook in debian/gbp.conf).