> And users are definitely not typing a hash when adding a new dependency to package.json or Cargo.toml

I actually much prefer that: specify the git revision to use (i.e. a SHA1 hash). I don't particularly care what "version number" that may or may not have.