[apples_oranges]

Refactoring into a single file sounds like a bit of a pain, since you have to do it every time the external code gets updated. Also how do you deal with dependencies that come with their own dependencies? Do you avoid them?

[davemo]

This may be slightly tangential but I recently discovered ncc[1] from vercel which can take a single node project and compile it and all dependencies to a single file.

As an added benefit it also collapses all contained dependencies license files into a single licenses.txt file too!

- [1] https://github.com/vercel/ncc

[TekMol]

    every time the external code gets updated

I do not keep my fork in sync afterwards.

    dependencies that come with
    their own dependencies

Depends on the dependencies. If you give me an example, I can tell you what I would do.

[geofft]

This is a fantastic trick! By copying the source code (which is legal) but not declaring the dependencies in a package.json or similar, nobody will ever get on your case for CVEs in dependencies, and you can save so much time and churn by not updating them.

[mellavora]

not necessarily. Depends why the external code was updated and if you need the new functionality.

I'm assuming it isn't a security flaw, because ideally you would have fixed that already during your refactor.