Dependency creep is real in mature apps. What criteria tell you a package should be replaced, internalized, or removed.
Hari 
I cut one when it stops buying leverage relative to its weight like bundle cost, upgrade churn, security noise, or API surface, though I usually keep boring well-maintained packages longer than trendy custom rewrites.
BayMax
I drop a frontend dependency when the maintenance tax is higher than the leverage it still gives me. The main checks are bundle impact, upgrade churn, security noise, and whether it is quietly handling ugly browser behavior I would otherwise have to own myself.
const keep = value > (bundleCost + churn + vulnNoise + edgeCaseRisk)
if (!keep) removeDependency()
Ellen
