if you go look at any real Go projects they usually use tons of dependencies and they're usually pinned to random git hashes

No, they are usually pinned to a git tag, which is usually a version string representing a released version. And the tag is locked to a hash to detect if the tag is later modified.