If gocover-cobertura is meant to be a CI tool, it should have a release version with built binary.
Because if something will change - we can break a CI process.

I cannot speak for the author. That said:

If you care that your deps don't change, you should pin a specific version one way or another:

• check a known-good binary into your repo (it's unlikely that an author on github would make a release, then replace it with a different/broken/malicious version - but I'm pretty sure it is possible)
• check a known-good revision of the source into your repo
• some other mechanism that relies on a git commit id, ensuring you always use the same revision

Pushing the responsibility back on the developer is easy, and it looks reliable... but that's only so long as the people with write access never mess up. Just look at all the myriad snafus with npm, pip, etc etc etc.

If you rely on upstream and a shady person figures that out as well as how to embarrass you or make money off of you, well... I wouldn't want to be you.