Go’s authors realized that package versioning is a complex issue better left to the community to figure out. Imports were left as string literals so people could experiment and build tools to address the issue.

However, their own versioning method was hidden quietly in Go’s FAQ :

If you’re using an externally supplied package and worry that it might change in unexpected ways, the simplest solution is to copy it to your local repository. (This is the approach Google takes internally.) Store the copy under a new import path that identifies it as a local copy.

Simply copy a package into your repository and update the import paths. This eliminates issues with locking down a version and ensuring availability. It does not require you or anyone else to alter a GOPATH, get dependencies, or install some other tool to work with your code. It simply works.

To help, I made a tool that allows you to easily get started with vending your own Go packages.