Dependencies in Go are safe because they cannot be modified by a 3rd party dependency, and they have to be purposely changed by a developer. All dependencies are saved in go.mod file with their version and when running go install.
Also, if developer changes the code of the version it won’t install, because the sum of that code will change, and go stores sums inside of go.sum file.
All of it, helps to prevent Supply Chain Attacks when using Go and third party dependencies.