What did you do?

nats-server in v0.12 is still v2.5.0
But in the master branch, it is already upgraded to v2.8.4

What did you expect?

I need v2.8.4 of nat-server or even newer version

What happened instead?

no release tag created

You don't need a new release of Go kit to take advantage of the new nats-server version. You can require that version in your local go.mod, and that constraint will be respected during your build. Go kit releases new versions when it adds new functionality or bug fixes directly, not for transitive version bumps.

actually, could you do a special release to upgrade all outdated dependencies? Those are really important to ensure the robust and security in the real word production environment.

It's definitely not necessary for Go kit to make a new release whenever its transitive dependencies are updated. Downstream consumers can require more-recent versions of those dependencies locally, and those versions will be respected, even when using an older version of Go kit.

(More generally, if projects like Go kit were to tag a new version whenever any transitive dependency is updated, it would mean new Go kit releases every few days, with no actual changes to Go kit related code. This is both infeasible for maintainers to maintain, and pointless for consumers to consume.)

But it has been 2 years...bro;
And upgrading the nats-server locally wouldn't be the right solution; because in my project, the nats-server wasn't showing up in go.sum ----> our services are not indirectly using nats-server; but it still be included in the gokit codebase...

go.sum isn't a lock file, and doesn't represent what is actually included in your binary.

If your binary doesn't use nats-server then it won't be included, even if you use Go kit.