> …why would [an] author write a version range that includes versions that don’t exist yet? … For that, kids, I have no good answer.

When you first take a dependency, you typically want the latest compatible version, to have all the available bug fixes (especially security fixes).

Once you’ve started building on top of a dependency you need stability and have to choose when to take updates.

It’s about validating the dependency… on first use, there’s no question you will be validating its use in your app. Later, you have to control when you take an update so you can ensure you have a chance to validate it.

BTW, of course semantics versioning isn’t perfect. It just lowers the risk of taking certain bug fixes, making it feasible to take them more frequently.

The lock file just holds the state for this mechanism.