[no-name-here]

Wouldn't locking dependencies be far more likely for dependency-users to do, and be approximately as effective for those that do?