Pinning the version also avoids the risk of accidentally introducing new vulnerabilities while reimplementing the package yourself.