Your deno.json/package.json should generally pin things to their major version (eg. "^3.1.4"). Your application's lockfile (deno.lock/package-lock.json) which is generated by default pins your dependencies and your sub-dependencies to exact versions.