What you describe is convenience, not sense
When a release is approved, it should be rebuilt with all the libraries pulled and stored locally, and that binary shipped. This way, and only this way, can the build be described as frozen and repeatable. Of course it's a pain. But the first time you try to compile you create a script with all pulls to make it easier next time.
You can also audit whether different code portions are calling different versions of the same library.
Think that's silly? See HCSEC_OversightBoardReport-2019.pdf at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf where Huawei's code used "6 copies of 2 different OpenSSL versions, with 5 being 1.0.2k and one fork from a vendor SDK. There remained 17 partial copies of 3 versions, ranging from 0.9.7d to 1.0.2k. The fragments from the 10 different versions of OpenSSL remained across the codebase as do the OpenSSL derived files that have been modified by Huawei. More worryingly, the later version appears to contain code that is vulnerable to 10 publicly disclosed OpenSSL vulnerabilities, some dating back to 2006. This shows the lack of maintainability and security resulting from the poor configuration management, product architecture and component lifecycle management."
Lastly, repositaries are other peoples' computers. Use them, don't depend on them.