Drupal Installation - to pin version or not
Time has moved on as has Drupal Versions and CiviCRM's installation instructions on Drupal. The core part of this issue remains so updating to reflect the current situation.
Currently the CiviCRM install instructions for Drupal on Drupal 9 specify a warning (probably don't do this...
There is a more detail section under the Drupal 9 installation that explains the version constraints.
I'd assume this documentation should be accessible and understandable by someone approaching CiviCRM from Drupal who might be happy enough visiting a drupal project page copying the relevant composer command and running it, and happy following the relevant instructions on Drupal to upgrade a package using composer.
The instructions for updating Drupal Modules and Themes using composer currently recommend --with-all-dependencies.
This would then mean that for example someone with this level of understanding and using the current instructions could happily install drupal/webform_civicrm which requires civicrm/civicrm-drupal-8 and run an update of webform_civicrm and unexpectedly get an updated civicrm core.
Generally I'd think in this case we'd prefer this to be avoided? But perhaps this situation has changed?
At the very least following the format recommended by Drupal Contrib projects of specifying a version '^5.71' would pull in/allow upgrades to any 5.x.x release. As far as I'm aware there is no plans for a breaking CiviCRM 6.x release, but could there be in the future?
I think we should copy/shift the Version Constraints more details to be below the Drupal 10 version.
I think we should add/amend this to say that you might want to constrain the CiviCRM version to a specific version in composer.json. This would then mean that for example - using composer to update a Drupal module depending on CiviCRM i.e. Webform CiviCRM or CiviCRM entity and using a with-all-dependencies would not trigger an unintended CiviCRM upgrade.