Re: botnet
This isn't about using third party libraries, it's about loading/updating them from a server out of your conttol, into your live software.
What is live? Errm what? How is that debatable? Production code, in use, with real data - as opposed to code in development on someones local computer which no-one else is accessing except maybe other people on the development team.
It's an easy line. Host your software. Don't be in a situation where your live (sorry, production/in use) code can be altered by someone else outside your team.
As for 3rd party libraries, I'll happily update packages on my personal machines, after reading changelogs, and if something breaks, I'll try and sort it out, but you can be bloody sure I won't update dependencies on live server code in such a cavalier way, and ESPECIALLY not in an automated way.
This is nothing unusual. It's standard practice, but more, it's common sense. At my last job, 1000's of people in the company used my teams software that ran on internal servers. We all liked our jobs too much to allow random people in the world to alter our live (running) code at will.
The fact this distinction isn't obvious to you leads me to believe you are of the younger generation that is responsible for this mess.
I don't look forward to the future when all us grey beards have retired, and new software is required for new traffic lights/hospital equipment/nuclear power systems/autonomous cars...