Idk how I feel about this. I think this is only an appropriate solution if you are 100% capable and can take complete ownership of patching said dependencies.
I get how there is risk associated with a supply chain attack, but what are you going to do when you don't understand a vulnerability and need to fix it?
Most problems aren't impossible to solve of course, but those who've been working with a codebase for a long time probably have a more intimate knowledge of how it works.