I finally moved the last of my services off dep and onto Go modules this week, which is the sort of thing I should have done a couple of years ago and kept not doing because it was working and I am lazy.
The migration itself was anticlimactic, which is the best kind. go mod init picked up the package path, go mod tidy read the old Gopkg.lock, resolved everything, and produced a go.mod and go.sum that built first time. Then I deleted Gopkg.toml, Gopkg.lock, and the entire vendor directory, and the repository got noticeably lighter and quieter. No more committing thousands of vendored files. No more dep ensure taking an age and occasionally disagreeing with itself.
The bit I'd been dreading, the dependency resolution, just wasn't a problem. Minimal version selection is easier to reason about than I expected: it picks the lowest version that satisfies everything, so builds are reproducible without a lockfile-shaped ceremony, and go.sum keeps it honest. The module proxy means I'm no longer at the mercy of a dependency's git host being up when CI runs.
If you're still on dep, or worse still on bare GOPATH and a prayer, stop reading and go run go mod init. It's been stable for ages now and the tooling has caught up. I waited for a perfect moment that was never coming, when the actual cost was an afternoon. Modules won. They were always going to.