I guess I wondered if you updated the dependencies beyond the .lock file versions on purpose to help with bugs. It’s my first time using any dependency managers to create ‘sandbox’ environments and I also think it’s pretty cool for standardisation.
Also, you might be interested to know that Node.js/npm has the same functionality using the .json file:
install - Installs dependencies to the dev spec in json file
update - Ignores the json file and update to latest available
There’s a short post here that explains their behaviour well if it interests you.
After I posted this I found your write up on Ubuntu 
Actually both your guides helped me in different places with Debian so thank you! Now I have to fix a login screen bug 