I don't understand this phrase. Nothing keeps you from using newer capabilities. Did you mean to say to ensure you do use new capabilities?
This is kinda ironic because if someone actually reviewed their deps and ensured the hashes in Cargo.lock
match you trade supposed security fixes for supply chain attacks. The situation is not great and the solution isn't obvious.
That sounds like a good thing, yes.
How about set patch to zero unless the dependency is known for not following semver (e.g. serde)? I myself tend to check when a feature I want to use was added, but I guess not everyone has the motivation to do that.
Anyway, reading these posts seems to indicate that my idea of hiding new items is even more useful than I thought.