"the build system handles it now" ... if lock files are not checked in, are they really pinning anything?

"strict versions" moves the trust to the provider of the dependency repository.