[fctorial]

> Vendoring dependencies is a simple way to ensure consistent build inputs

It wouldn't be necessary if the dependency tree was a pure function of package manifest.

https://developer.okta.com/blog/2019/12/16/semantic-versioni...