Cautiously posting that link, because I'm not against vendoring. You just need a process around keeping your dependencies up to date / refreshed automatically. The ability to vendor is one thing, how you use it is another.
I agree with your statement, but what I usually see in real life is that once dependencies are vendored in they never change.
That's what dynamic linking and Linux distributions are for.
I agree with your statement, but what I usually see in real life is that once dependencies are vendored in they never change.