[baq]

Not pinning dependencies is an existential risk to the business. Yes it’s a tradeoff, you must assign a probability of any dependency being hijacked in your timeframe yourself, but it is not zero.

[tasuki]

I don't think others were necessarily talking about "business".

Though, yes, I prefer pinning dependencies for my personal projects. I don't see why things should break when I explicitly keep them the same.