That's really no different than a package shipping any other bug. You lock to the previous version and reevaluate on your update cadence to see if things are fixed when you update your other dependencies. Cloning the entire repo just delays that step. If you automate your updates this wouldn't even affect you at all. You'd simply see an update fail and go on with your life. As long as you've checked in your resolved file, everyone else on the project stays in sync and never even sees the issue. Really the people who will have the biggest problem with issues like that are new users who are trying to integrate the package for the first time, but it's hard to avoid that issue without a distribution process that separates the raw repo from the consumable.
2 Likes