Sure, or we come up with a proper solution via lockfiles so we don't have keep forking and maintaining, and make full dependency locks the default so everyone benefits.

This is a long solved problem in every other ecosystem. This particular implementation isn't great but it has the right idea.

> Or fork them and commit add the lockfile yourself

Depending on the action you use, this is no small task. You might as well just switch to something else altogether.