Having read the article and read some of the comments here, I think many could learn from dependency management rules in the Scala ecosystem.

Scala uses Maven repositories (where the common practice is to use fixed dependency versions) but with different resolution rules:

* When there are conflicting transitive versions, the highest number prevails (not the closest to the root).

* Artifacts declare the versioning scheme they use (SemVer is common, but there are others)

* When resolving a conflict, the resolution checks whether the chosen version is compatible with the evicted version according to the declared version scheme. If incompatible, an error is reported.

* You can manually override a transitive resolution and bypass the error if you need to.

The above has all the advantages of all the approaches advocated for here:

* Deterministic, time-independent resolution.

* No need for lock files.

* No silent eviction of a version in favor of an incompatible one.

* For compatible evictions, everything works out of the box.

* Security update in a transitive dependency? No problem, declare a dependency on the new version. (We have bots that even automatically send PRs for this.)

* Conflicting dependencies, but you know what you're doing? No problem, force an override.