But they all have to vendor as well if they want reliable builds. Otherwise you end up with everything breaking when a developer decides to do a forced push or take his repo off github.
Force pushes - by far more common than straight-up repository removal - are handled without problem; we let you stick with your old version. (At least, that's how it should be - there might be a couple more test cases to write. I know I designed for this problem early on).
Repo removal, renaming, or whatever, are still problems, for sure.
Today, dep populates vendor/ with dependencies, and works equally well whether you decide to commit them or not.