Near-100% test coverage did not catch a CVE in my Go library

for parsers, malformed input probably has to be part of the actual spec, not just an edge case. A small set of bad-input tests plus fuzzing seems more useful than chasing the last few percent of line coverage