Pin dependencies?

[bmuenzenmeyer]

#5488 made me wonder: Can we instead pin our dependencies?

It's a small measure toward more determinism. Yes, we have lockfiles, but they are brittle and easy to be blown away on accident, change of branch, merge conflict, etc.

I've advocated for years that my teams should pin dependencies.

Here's some more thoughts:

• Rennovate "Any apps (web or Node.js) that aren't require()'d by other packages should pin all types of dependencies for greatest reliability/predictability" | https://docs.renovatebot.com/dependency-pinning/#so-whats-best
• Blog "My recommendation is to pin your dependencies." | https://maxleiter.com/blog/pin-dependencies
• Another Blog "Pin exact dependency versions
  " | https://betterdev.blog/pin-exact-dependency-versions/

A "downside" of this is potentially more upgrade noise, but I argue this is an appropriate price to pay for a site with as much scrutiny as nodejs.org. As @ovflowd stated in #5488 we can, in addition to this, reconsider automation.