Another level of this dilemma:

• Pin all dependency versions – Prevents receiving security patches
• Don’t pin dependency versions – Enables supply chain attacks (see nesbitt.io/…/incident-report-cve-2024-yikes.html)