There is always a risk that at the time that you pinned, the code was already compromised, but it lowers your attack surface to pin. As long as you've pinned while the code was not compromised, then someone changing the package for an already pinned version will fail the install because hash check fails.

It's "if I pin the dep, I know that someone won't compromise the package repo and the next time I install 2.6.3 I can be sure that the same package is getting downloaded and installed."

This specific risk isn't just not having things version pinned. It's not having a hash of the package to check against to make sure you're getting the same package every time.