Some projects like to vendor their dependencies so they don’t have to rely on the supply chain staying up and can create hermetic builds. Of course this prevents you from getting security updates and bug fixes but that’s the trade off.

I know someone’s going to say “you can lock the dependencies ” but this does not make it for sure that you’ll get a 1 for 1 copy of the dependencies again. Some node modules npm I internally or do other build procedures