It is strange, I know that you can update a card, but it doesn't go through the 3D Secure 2 steps. I believe you would have to use their payment intents to do that, but that could have its own issues around just updating a card instead of creating a new payment. I'd imagine that they will be updating their APIs to fully support updating cards with checkouts.
I would say that it should be listed as a dependency of the npm package as this would make it automatically install for the user. It would be a bit strange to also make them install `validate.js` in addition to the stimulus library.
It is true that several gems exist for handling this. however, from my experience, unless a gem provides functionality beyond my desire to create said functionality, it is better to either create and maintain your own gem or have it baked into your application. I say this because I have seen so many cases where gems are not kept up to date or have complications with Rails updates.
I think that some gems are fine to add, but I do take careful consideration before adding them in.