[tpxl]

You do what any sane package manager does and pin the version. Having the option to declare a dependency version as >= 4.0.3 is a bug, not a feature.

[get]

So you first recursively read the code and the code of all the dependencies? And then pin it?

That sounds like a lot of work. Compared to copying/writing 30 lines.

How do you know the pinned version and it's dependencies do not get changed by the maintainers?

[tpxl]

I meant as a solution to not breaking in the future. If you have a system with pinned versions that work, it will always work, regardless of the changes in new versions.