Are you saying it replaces my package manager, or that I should add another tool to my stack, vet yet another vulnerable dependency for critical use, to do something my package manager already does just as well?

> You ~never want to vendor libraries.

I just explained why you should, and you are yet to provide a counter-argument.