webflo/drupal-core-strict creates dependency conflicts

[danepowell]

Composer is generally built on the philosophy that you shouldn't "pin" package versions unless absolutely necessary (such as when patching a package, deploying a build artifact, or working with a "root level" project where you obviously want to use composer.lock).

With that in mind, I'm not sure why Reservoir relies on webflo/drupal-core-strict, which pins all Drupal core dependencies to the exact versions used by core. The problem is that this can easily create dependency conflicts with all sorts of other packages, such as BLT: acquia/blt#1792

I could see how this would theoretically improve stability somewhat by ensuring that no package version is ever used that hasn't specifically been tested with core. But as a practical matter, I've never actually seen problems arise from using floating package versions, and other distributions such as Lightning don't use webflo/drupal-core-strict.

Also, extending this pattern to other packages besides Drupal core would create a completely unusable ecosystem--you'd hardly be able to install any packages at all due to dependency conflicts. So I'm not sure why we should treat Drupal core as a special snowflake.