Hi @marco-m,
At the moment the only option that would (mostly) fit your constraints is to fork the modules you intend to use and then use your forks as dependencies. If you retain them as separate repositories then you can still pull in new tags from upstream relatively easily when you want to use them, but you’ll be in control of when they change.
Copying them into your repository is also possible, but I imagine you were looking for an automated tool to do that, rather than just doing it manually. There is no such tool today.
Dependency locking like the systems you referred to is likely to come eventually, but isn’t present today.