Vendoring a pinned dependency just looks like dependency theater. You can let it sit there as a pinned dependency and it will do just as much harm as if you vendor it.
I get the sense (only a sense because the author is a bit coy, but sibling comment by him seems to confirm) that this was more to appease these tools that look for “bad dependencies”.
I get the sense (only a sense because the author is a bit coy, but sibling comment by him seems to confirm) that this was more to appease these tools that look for “bad dependencies”.