This is why you should vendor it. What is "it"? All of it, whatever it may be. You should be able to build your systems without an internet connection to the outside world.
I say this with no reference to particulars of your language or runtime or environment or anything else. This is merely a specific example of something that could happen to a lot of people, in a lot of languages. It's just a basic rule of professional software development.
I agree. I use and love NPM and others like it, but when it comes down to it, i check-in my dependencies when my applications get "released".
Committing the updates is only one more step, and in my experience it's not even another step since we already have a rule that new installs or dep updates need their own commit.
It becomes even more important in an "enterprise" environment. I have machines here which are blocked from executing node.exe (at the time, the binary I had wasn't signed).
I have machines here that have to authenticate via SSPI/NTLMv2 to a proxy to get out to the net. And don't even get me started on the SSL MITM we have here.
I can't run your startup's app here. I can't run your new build tool here.
And the endless list of risk reducing stuff like this (and not just in IT either) is exactly why big companies are slow. Big corps need figure out how to create small disconnected divisions instead of consolidating common services for cost savings. If one of your tiny divisions gets hacked it doesn't take down the rest unless your all on the same systems burdened by the same laundry list of security and policies.
I don't think "vendoring" in the sense of copying all your dependencies into your source tree is a good idea. Source and dependencies are different things and well worth using different tools for. You absolutely do want to ensure that your builds are reproducible even if the upstream libraries go away, but there are ways to do that without putting their source in your source tree.
I don't undertand why this isn't the most common reaction, maybe people don't want to take this much responsibility over their builds since they've grown used to it being "taken care of" by these central package repositories for them?
Still relying on internet connection for builds to pass seems rather silly to me.
Or have a decent package management setup? Or just use an existing one, it's been working for 20 years. Package management is a solved problem, just use an existing one and move on.
I say this with no reference to particulars of your language or runtime or environment or anything else. This is merely a specific example of something that could happen to a lot of people, in a lot of languages. It's just a basic rule of professional software development.