> git tag on the main project the most critical problem is that git tags are mutable - this is a common way to introduce supply chain attacks (which happen regularly) - this is why a lock files contain a hash of the source code (just like git operates on hashes, not "names" of things - a version number is just a name).
If you only ever use your own code, you can of course abstain from modifying tags, but it's a blocker for any broader use (abstaining only gets you so far..) - ie nowadays it's part of the minimal feature set of a package cloner much like https support in a browser - version tags are the equivalent of sending your password in plain text on a public wifi - it's that bad due to how exploitable it is.
