Reply to zb1c4k and should be merged.
Link: Lobsters story zb1c4k, discussing The modern packager’s security nightmare
While software with pinned or too-tight depndency constraints often causes issues for me (as a user) – I agree with the core point here. No one can expect anything of an upstream: not a particlar dependency usage, version scheme, acceptance of patches, ongoing maintenace, or continued existance.
Software freedom is the freedom to fork. Anything an upstream does for anyone (including existing at all) is a bonus.