I've just ran into a scenario where one of my resources was depending on azure-native plugin 1.4.0 and other resources were depending on version 1.5.0 for which I've lost a good part of the last 2 hours trying to fix 🙃 I'd like to understand: a) The only resource that still had 1.4.0 was marked as protected -- is this why it didn't get updated? b) I'm running pulumi up while testing in my local (deploying to test environment) and I also run the same commands on the CICD pipeline. Was this what caused the plugin upgrade? c) How can I prevent plugin upgrades? thank you!

The specifics to pin version will depend on the programming language/tool you’re using. But they all have a locking mechanism. npm has a package.json with package-lock.json, Python pipenv has a Pipfile and Pipfile.lock/poetry, Go, C#, etc. You should set the versions you want to use and guarantee with the lock file that this version is what’s getting installed in your local and your CI/CD process.