That has its own downsides, though.

Both v1 packages continue work; both are maintained. They get security updates, and were both improved by implementing them on top of v2 to the extent possible without breaking their respective APIs.

More importantly: the Go authors remain responsible for both the v1 and v2 packages.

What most people want to avoid with a "batteries included standard library" (and few additional dependencies) is the debacle we had just today with NPM.

Well maintained packages, from a handful of reputable sources, with predictable release schedules, a responsive security team and well specified security process.

You can't get that with 100s of independently developed dependencies.