Or find the best third party library and copy the code from a widely used version that has been out long enough to have been well tested into your source tree.

The problem is not third party libraries. It is updating third party libraries when the version you have still works fine for your needs.

Don't do this. Use a package manager that let's you specify a specific version to pin against. Vendoring side steps most automated tooling that can warn you about vulnerabilities. Vendoring is a signal that your tooling is insufficient, 99% of the time.