Maybe 10 stable dependencies without dependencies? Otherwise it's dependencies all the way down.

Is vendoring in a dependency just slowing things down? Slows down development and bakes existing attacks in longer.