Yeah... In defense of the Go folks (1) they are working hard to make the transition as smooth as possible (2) dep was always just considered an experiment (though with aspirations by the author to have it become the official solution) (3) vgo almost certainly marks the end of the churn, and looks really nice.
> Go's dependency management story is starting to resemble JS's modules story
It's worse tbh. npm was actually always usable if you knew what you were doing. Complaints with npm were generally down to misunderstanding, people not being aware of features like 'npm shrinkwrap' (which has now been replaced with a lockfile-by-default strategy) and of course registry issues (allowing unpublishing) that weren't unique to npm, and were only an issue for people relying on public registries at deploy-time, a bad idea.