alt Hacker NewsYou are not misunderstanding anything, I use Go and Rust/TypeScript in my daily work and you are correct - it is the OP that does not understand why people use lockfiles in CI (to prevent minor updates and changes in upstream through verifying a hash signature).
I would hazard a guess that the (former) head of the Go security team at Google (OP) _does_ in fact understand.