For NodeJS i can use an internal Nexus Server as central Repository. This Server can work in addition as Proxy, so if the Package is not known locally, it goes to registry.npmjs.com or whatever is configured and loads the package from there.
Than this package will be stored in the Nexus with all related meta info like Version etc. With that we are always build able, even when the Owner deletes the public repo or a new Version has breaking changes . In addition we can make reviews and allow only reviewed main packages etc.
Is there something equal available for Go?