Accidentally installing a malicious package in your dev environment, the concern isn’t “what’s already installed”, it’s what’s potentially going to be installed in the future by you or your colleagues.

So, you pin the version and update periodically when security issues arise in your dependencies.