I guess this is the case for new installs, but for existing dependencies can’t you simply pin them to a patch release, and point at the sha?