I would think that if one checked that all the dependencies were locked properly all the way down the tree, it would then be sufficient to lock just the top level dependencies.
1 Like
That would require you to download each level of dependecies individually and check them what to download next. A lockfile that contains everything can be parsed once and then just a download queue created that pulls everything.
There might be some more reasons, though this one is the most obvious to me.
2 Likes