> Managing complexity is important, depending on several hundred things (especially if you don't have control over them) is not managing it.
You're still depending on the thing you checked in. You're just storing it somewhere else.
PS. You can achieve the same thing (frozen dependency tree) with shrinkwrap.
Yes, since it's checked in it won't change "behind your back" or disappear
You also can add fixes to it
It will also not get fixed, when important bugs or security issues are discovered and fixed upstream.
>You also can add fixes to it
Which is called a "fork" which you'll then have to maintain.
> Managing complexity is important, depending on several hundred things (especially if you don't have control over them) is not managing it.
You're still depending on the thing you checked in. You're just storing it somewhere else.
PS. You can achieve the same thing (frozen dependency tree) with shrinkwrap.