Better to treat it as a dependency still, but audit each new commit/release as it comes in, and pin to the exact last commit id that you verified.