Could you elaborate a little? Are you saying it should ignore vulnerable packages simply because you pinned it to a specific version? Or does it warn even if your specific version isn't vulnerable?