Except the default behavior of yarn add / npm install is to pin a semver. I.e. if the current version is 1.2.3, the package.json will specify “^1.2.3” which will auto-update to any new release that’s versioned below 2.0.0. And the node community is at least half-decent about following semver and doesn’t usually push breaking changes on a point-release.
You can lock Python versions.
But people by default, people type pip/npm/apt/yum install without the version.
Nothing unique to Python.