Note, it was different ~5 years ago. When we wanted to upgrade from react 15 to 16 for better runtime speed, we had to upgrade babel first and that required a webpack upgrade iirc. It was a mess. But the ecosystem has matured a lot since then and we haven't done major setup changes since. It just works.
If you care a little bit about those critical / major security vulnerability alerts, and are working with NPM professionally, I shouldn't need to answer the question. If you are not, it's because NPM moves very fast, you can lock in your dependencies but soon enough they'll start signaling vulnerabilities.
We check out all these reports but in 99% of the cases it's something like "if you pipe user data into to this command line tool, then it's hackable!!" and said tool only gets used by our build toolchain and not by runtime code, so no user code ever gets piped there. We've not yet run into a must-upgrade dependabot vuln that was also non-trivial to upgrade to because of the infamous (but, to our experience, untrue) NPM dependency hell story.
Good luck with that in the NPM ecosystem