It's not like pinning means you can /never/ update. You just get to do it on your own schedule.
You can even automate updating to some degree -- running your tests against the latest everything and then locking in to those versions of all goes well.
Again, this only works for project skeletons, and not for any other package that happened to have a transient dependency on `is-promise` (which is a lot more than project skeletons).
And this would do nothing for the fact that `npm install eslint && ./node_modules/.bin/eslint` was also failing.