lockfiles are useful to speed things up, you avoid waterfalling

and as some people mentioned, if a dependency of a dependency provides an important security patch, do you want to wait for your dependency to update first? or do you rely on overrides?