In practice the biggest issue I've found with git+pinned hashes as dependencies is most public sources of remote git repositories allows the repository to be taken down by the author at any time, i.e. an author can turn a public github repo private or simply delete it at will.

Whereas most public package registries generally don't allow removal of publicly published packages outside of special circumstances, so the references will be more durable.

fortunately it's trivial to clone a repo and link to the clone

In a dependency of a dependency of a dependency?

That's a pain. It's the same problem as a class that constructs a particular object that you want to customize. The solution is also the same: dependency injection.

The next leftpad debacle is going to be due to a git dependency.

I wish they didn't. Git clone is very slow relative to downloading a tarball. Glide/Dep would take tens of seconds to download what amounted to a few megabytes.