[bombolo]

It's more dangerous to let people pin dependencies and have vulnerable libraries in use forever.

[burntsushi]

Who says the distros are using the lock file? AFAIK, Debian doesn't use ripgrep's lock file, for example. They don't have to, because of semver.

[LtWorf]

What's the point of the lockfile then?

[burntsushi]

For people that want to build with the exact set of dependency versions tested by upstream. Just because some distros don't use them doesn't mean there isn't any point.