vendoring my dependencies wouldn't save me from a rare issue I had dealing with npm packages, for example I had a package that relied on an underlying api call to a machine learning cloud api, the api call became deprecated. Not writing code is the only sure way to have no bugs.