[zelphirkalt]

A lib can still lock its dependencies and have version ranges declared at the same time. The lock file is an artifact than is used to reproducibly build the lib, while the version ranges are used to see, whether some other project can use the lib.

It is only a matter of tooling. Locking ones dependencies remains the right thing to do, even for a lib.

[epistasis]

This is of course the right answer. But unfortunately it has only recently become supported by packaging tooling, and is extremely uncommon to encounter in the wild.

[LtWorf]

If you include a range you have to test with everything in the range.