The vulnerability list is open source and you can get a list of public projects that use each dependency from pkg.go.dev - if you really want a list, there are at least a few ways that are more efficient than scanning GitHub! (As you pointed out above)