Pinning is a good strategy (I'd say that it should be the default one), but depending on your level of paranoia (think left-pad), you might consider just downloading the lib as it is, and storing it in source control forever.
I do sort of miss bower [0] for this reason. It was really just a way to download javascript and plunk it into your application. It was standard practice to check all of your vendor dependencies into SCM. [1] Of course a good chunk of it was transformed through something like Gulp or Grunt before being added to the bower repository so you were unlikely to maintain those once checked in, but there was still quite a few packages (small jquery image gallery plugins and the like) that were just some un-transformed javascript someone typed up and threw at bower verbatim.
