Or just lock to a specific version?

Eventually you will want to update it, every update is a risk.

	▲	SkyPuncher 3 hours ago \| parent [-]
		But, pinning has prevented most of the recent supply chain attacks. As long as you don't update your pins during an active supply chain attack, the risk surface is rather low.