Security is one big reason. Avoiding link time or runtime conflicts is another. And, yes, having outgoing network calls for builds is a problem. Not because of performance concerns, but because it's a security and reliability nightmare. But consistency across the whole codebase is drastically important.
There are many many reasons but overall sanity and security concerns are paramount.
But also, read the original article referred to here... and the pain points seen there. Be careful about what you depend on.
> Security is one big reason. Avoiding link time or runtime conflicts is another.
I mean, most Linux distributions do the same thing - anything that's "vendored" as part of some project is supposed to be patched out from the source and pointed to the single system-wide version of that dependency. And Debian is packaging lots of Rust crates and Golang modules as build-time dependencies within their archive.
There are many many reasons but overall sanity and security concerns are paramount.
But also, read the original article referred to here... and the pain points seen there. Be careful about what you depend on.