[markcurphey]

Point taken and there are two trains of thought. The way I think about it is that it's a double edged sword. If you have already trusted a dependancy then trusting an update is a risk but less than the risk of having known vulnerable versions. I rarely see developers actually looking at the code of new versions when upgrading. My take on all this is a pessimistic one based on what I have seen and not on best practices. If teams I saw reviewed the updates I would fall on the pinned side of the sword.

[robertlagrant]

You might trust a dependency from a security perspective, but they might still have accidentally introduced a breaking change into a non-major version bump. It seems like a recipe for disaster to deploy other versions of dependencies (which might pull in further different versions of transitive dependencies) and assume it'll all work.