So I came across this comment recently (https://news.ycombinator.com/item?id=10604168) through a blog post (Dan Luu's post on monolithic version control: https://danluu.com/monorepo/).
Some cursory googling shows that a lot of the internet really hates vendoring (the first hit on a very neutral search like 'vendoring dependencies' tells me it is 'evil'), but at the same time giant companies like Google most definitely vendor in all their dependencies (and AFAIK, build everything from source).
So as a discussion point... 1) Should we vendor in our dependencies? Is there a point/size of company/size of codebase at which it starts making sense? 2) Have you ever experienced a catastrophic versioning error that actually caused some monetary damage? 3) What were your experiences with vendoring? Was it worth the effort?