Isn't this the actually the wrong solution? I thought I was told I should be pulling my dependencies into my own cloned repos. Then my project uses my clones. When I want an update I test it out, update the cloned repo and update the project to use the latest tag/hash of my cloned repo. Isn't that what pretty much all the top projects do?
This way everything is under my control. What good is it if I'm told my dependencies has been deleted? And then I what? Copy my old dep from my dev machine to a cloned repo and point to that? Isn't that the same step as above?
You're not wrong, but you can use that technique and benefit from Dependency CI too.
Typically, you can define your dependencies in a file specific to a certain package manager. NPM uses `package.json`, RubyGems uses `Gemfile`, etc.
It is a reasonable practice to "vendor in" your dependencies, as you suggest. But given the declaration of your dependencies in some manifest file, Dependency CI can give you valuable insights.
This way everything is under my control. What good is it if I'm told my dependencies has been deleted? And then I what? Copy my old dep from my dev machine to a cloned repo and point to that? Isn't that the same step as above?
Or maybe I just don't get it.