This is a good point. There is often a lock file referring to a particular state of each dependancy. However centralised package managers are almost always trusted by project maintainers to provide the authoritative latest state. There are usually only a small number of authoratitive package providers for each tech stack with have strategic lock due to network effect and language specific features. Is this what you mean?

Relying on the centralized package manager's idea of what the authoritative state is is a serious bottleneck. This is why lock files are being used for each project to define its own state. This is @simplex lock file:

GitHub

simplex-chat/flake.lock at stable · simplex-chat/simplex-chat

SimpleX - the first messaging network operating without user identifiers of any kind - 100% private by design! iOS, Android and desktop apps 📱! ...

Each time it says "github" that's a centralized bottleneck that must go away.