Then you can’t upgrade anything unless create-react-app releases a new version (or you eject), which, in addition to the obvious release cadence problem, might introduce other compatibility problems.
It's not like pinning means you can /never/ update. You just get to do it on your own schedule.
You can even automate updating to some degree -- running your tests against the latest everything and then locking in to those versions of all goes well.
Again, this only works for project skeletons, and not for any other package that happened to have a transient dependency on `is-promise` (which is a lot more than project skeletons).
