[HereBeBeasties]

It probably doesn't. But are you saying devs never updates their dependencies?

[andrejserafim]

When one updates internal dependency versions one usually has to find them. At least that was the story with my gigs. So there's a listing somewhere.

So you wouldn't get a random version even considered.

Version shadowing and overriding is a totally different concern of course.