Would strongly recommend a lockfile if these things sound like a good idea:

- (fairly) reproducable builds in that you don't want dependencies blind-updating without knowing about it

- removing "works on my machine" issues caused by different dependency versions

- being able to cache dependency download folders in CI and use the lockfile as the cache key