I'm not even particularly worried about applications to which I don't have code access. I'm worried about getting off my OS's upgrade track because the minor version of the application I've verified to be usable and correct in my environment is no longer the one I'm going to have because a vendored dependency was upgraded during a release of the application itself rather than as an independent, dynamically linked library.