Typically you lock in specific revisions of your dependencies until the next time you run your dependency management tool, at which point it is free to bring in nonbreaking changes.
You don't want stuff changing of its own accord without a corresponding commit in your own repo. Especially not on a per-installation basis. Sometimes people get SemVer wrong. Or you may be bit by the bug that caused a patch release on one machine, and want to reproduce the issue on another.
But the downside of pinning versions is that you don't get the patch release in dependency A until you go to update/install unrelated dependency B. For a mature project, that could be never, or only by giant leaps every few months or years. Tools like this keep your version locks consistently up to date.
You don't want stuff changing of its own accord without a corresponding commit in your own repo. Especially not on a per-installation basis. Sometimes people get SemVer wrong. Or you may be bit by the bug that caused a patch release on one machine, and want to reproduce the issue on another.
But the downside of pinning versions is that you don't get the patch release in dependency A until you go to update/install unrelated dependency B. For a mature project, that could be never, or only by giant leaps every few months or years. Tools like this keep your version locks consistently up to date.