> If you're waiting on a PR from the original repo owner to fix a Production bug, you're doing it wrong. It's trivial to copy the dependency out of node_modules and into your src, and then fix the bug yourself. Then when the owner accepts your PR, swap it back in. I don't understand the problem here.
You're working the problem around instead of having it solved. You're
moving a library in your repository back and forth, while the library should
never land there in the first place (or stay there until it stops being used).
But even if you don't agree with this strategy, it's still much more work than
to just commit the fix and be done with it. And you still don't control who
introduces bugs to your code with modules upgrades, having much bigger surface
to random external programmers than you would if you only used things large
enough to pay for themselves.
You're working the problem around instead of having it solved. You're moving a library in your repository back and forth, while the library should never land there in the first place (or stay there until it stops being used).
But even if you don't agree with this strategy, it's still much more work than to just commit the fix and be done with it. And you still don't control who introduces bugs to your code with modules upgrades, having much bigger surface to random external programmers than you would if you only used things large enough to pay for themselves.