After the "left-pad" fiasco, and a similar event on the Ruby side, I started vendoring my dependencies as standard practice. I have not been sorry yet, in fact I feel vindicated in that approach.
Vendoring in ruby land is a double edged sword. It is much safer as you said. However if you _do_ vendor, be sure to be running containerized first. Otherwise you will be in a very frustrating spot of having to handle all sorts of native gem issues when trying to run on various computers during dev/test/prod.
Yes this is a real problem. We primarily use docker which solves the issue, but there are people that hate docker and want to run native. For the mac users that doesn't go too well.
Vendoring is a good first step, too. As long as you have a local copy of all the dependencies, you're better off than needing to go pull them from the Internet every time you want them and risk having them gone. Potentially worse is having the same version but with modifications.
we get a form of this with our two-stage image building process -- the first stage installs all dependencies and we only update it when dependencies change