Which Is Better For Reducing Outdated and Vulnerable Dependencies: Pinning or Floating?

ArXi:2510.08609v3 Announce Type: replace-cross Developers consistently use version constraints to specify acceptable versions of the dependencies for their project. Pinning dependencies can reduce the likelihood of breaking changes, but comes with a cost of manually managing the replacement of outdated and vulnerable dependencies. On the other hand, floating can be used to automatically get bug fixes and security fixes, but comes with the risk of breaking changes.