Friends Don't Let Friends Use :latest

Floating versions like :latest, ^, and ~, while seemingly convenient, pose significant risks to software reproducibility and security by leading to broken builds, hidden regressions, and potential supply chain attacks. The text highlights the dangers of relying on these floating tags, such as unexpected changes in GitHub Actions, Docker images, and package dependencies that can disrupt CI pipelines or introduce malicious code, exemplified by incidents like the SolarWinds breach and npm credential phishing. To mitigate these risks, it's recommended to pin dependencies to exact, immutable versions using tools like Dependabot and Renovate, which update dependencies safely and explicitly through reviewable pull requests. By enforcing pinning through CI tools and avoiding untracked installs, users can maintain control over their software environment, ensuring updates occur on their terms and reducing exposure to upstream changes. This approach emphasizes that reproducibility and security are essential features, not optional luxuries, urging developers to "pin everything" for greater peace of mind and reliability in CI/CD processes.