Duplicate transitive dependencies throw a wrench in the lockfiles/pinning approach, since most package managers don't make it easy to install multiple versions of the same package (operating under the assumption that packages are large).
There's also a meaningful message difference when you look at a package page that says it's "done" as opposed "dead".
There's also a meaningful message difference when you look at a package page that says it's "done" as opposed "dead".