[dontlaugh]

The distros will eventually stop this dangerous practice of mixing and matching versions for all dependencies. It can only work for a small set of system components, which is what every other OS does.

[bombolo]

It's more dangerous to let people pin dependencies and have vulnerable libraries in use forever.

[burntsushi]

Who says the distros are using the lock file? AFAIK, Debian doesn't use ripgrep's lock file, for example. They don't have to, because of semver.

[LtWorf]

What's the point of the lockfile then?

[burntsushi]

For people that want to build with the exact set of dependency versions tested by upstream. Just because some distros don't use them doesn't mean there isn't any point.