Just to be clear, you can actually pin down the dependencies by creating a `component.json` manifest and adding the specific versions you want. You'd want to do this when publishing your own components, or when building a large app, but for quickly sketching out ideas you can just require them inline. Basically the manifest is optional, so you can choose when it makes sense to lock things down.
Not quite yet, but it totally could. We've been talking about trying to find a way to directly pin in the source with the help of a nice CLI instead. So that we can keep having no manifests, but get pinned deps at the same time without having to manually go through them all.
