I see this a lot and it really rubs me the wrong way, but it makes a lot of sense from a usability standpoint.
I started pointing directly at the full commit SHA of the version I want to use when pointing dependencies at Github repos, as I have some naïve belief that it'll offer me a reasonable level of protection from the malicious takeover of a repo.
Docker tags (imagename:tag) aren't cryptographically secure and can be replaced by the server at any time if you aren't using imagename@sha256:<hash> format.
I started pointing directly at the full commit SHA of the version I want to use when pointing dependencies at Github repos, as I have some naïve belief that it'll offer me a reasonable level of protection from the malicious takeover of a repo.