[TekMol]

    every time the external code gets updated

I do not keep my fork in sync afterwards.

    dependencies that come with
    their own dependencies

Depends on the dependencies. If you give me an example, I can tell you what I would do.

[geofft]

This is a fantastic trick! By copying the source code (which is legal) but not declaring the dependencies in a package.json or similar, nobody will ever get on your case for CVEs in dependencies, and you can save so much time and churn by not updating them.