[rvz]

The industry standard for the best peace of mind is for ALL dependencies to be pinned, both the lockfile and the dependencies.

Upgrades are done manually and all characters such as "^", "*", next to the version are removed for a fixed predictable version to avoid unexpected version bumps or package hijacked in-case if they are compromised.

[OptionOfT]

The dependency file is more important for a library and less for an application.

For a library, the dependency file (Cargo.toml, package.json, ...) defines the lowest version and its constraints of the library's dependencies when using the library in your project.

It allows for the engine to try to resolve versions of common dependencies.

E.g., in Rust:

You have awesome-lib, and depend on dep-1. Your version constraint is 1.0.4, which allows for >=1.0.4 all the way up to <2.

I use another-lib, which also depends on dep-1, But requires 1.4.2.

The engine will then resolve it to a minimum of 1.4.2.

If another library comes in and requires 2.8.3, then that dependency will be duplicated, and hopefully the API surface in those libraries don't expose the underlying dependency directly, because then you get funny errors like "These things have the same name but are actually different".

[bruhFaaahNo]

> The industry standard for the best peace of mind

I read about "industry standards" in software and never see them in the wild.

Odd to assume your own direct experience is uniformly distributed belief.

[mgrandl]

Then you haven’t looked at a lot of open source repos? A ton of them are using renovate/dependabot which are doing exactly that for you. And it is certainly good practice.