[Bolkan]

You can only pin your direct deps.

[leodriesch]

A lockfile is a way to lock your indirect dependencies. If you only install based on the lockfile every dependency is pinned.

[Bolkan]

You cannot audit and pin all your transitive dependencies. The amount of churn tge lockfile goes through is insane.

[WorldMaker]

Dependabot watches all the transitive dependencies in your lock files. For better and worse. For worse in that it's not a great developer experience to get a PR on a low level transitive dependencies, which is also one of the largest complaints about Dependabot that it often feels too low level and not working at the dependency level you are working at. But Dependabot (and npm audit) still exist to audit all your low level transitive dependencies in your lock files.