You can still lock versions, or even hashes. But it still leaves you open to "denial of service" if the "interwebs" acts up or someone unpublishes a package.