For security purposes it is recommended to always pin third party dependencies and also have a dependency update service that validates the pinned dependencies are kept up to date.

Engine has different types of dependencies:

• Git repository dependencies, source that is checked out and integrated at runtime.
• Packages dependencies, binary dependencies downloaded using ad-hoc scripts.
• CIPD dependencies, binary dependencies using the cipd packages services.

We need to pin all these dependencies and also implement a service to keep them up to date.