Eventually you will want to update it, every update is a risk.

But, pinning has prevented most of the recent supply chain attacks.

As long as you don't update your pins during an active supply chain attack, the risk surface is rather low.