For NodeJS i can use an internal Nexus Server as central Repository. This Server can work in addition as Proxy, so if the Package is not known locally, it goes to registry.npmjs.com or whatever is configured and loads the package from there.
Than this package will be stored in the Nexus with all related meta info like Version etc. With that we are always build able, even when the Owner deletes the public repo or a new Version has breaking changes . In addition we can make reviews and allow only reviewed main packages etc.
Is there something equal available for Go?
I found some projects which try to solve the mentioned issue by acting as central storage and proxy for dependencies.
Most promesing are project Athens and Artifactory 5.11.
Project Athens can work with go dep
Artifactory 5.11 needs jfrog cli instead of go dep