just spent 3 hours debugging a production issue caused by a 3rd party lib that decided to silently break in its latest patch version. can we please just freeze dependencies already?