Do away with
--disable-autopin. The only new package manager commands are
There are two pinfiles: a private one and a shared one. The shared one is adjacent to Package.swift, as in the existing proposal. The private one is stored in some quasi-hidden location not likely to be checked in, e.g. a dotfile, and is an implementation detail.
swift package pin foo 1.2.3 writes a dependency version to the shared pinfile;
swift package unpin foo removes it from the shared one. Running
swift package pin foo with no version number copies the entry from the private pinfile to the shared one, with its current version.
swift package update only searches for new versions of packages listed in the private pinfile;
--repin is required to update packages in the shared one.
In the shared pinfile, there is a boolean setting that determines whether newly downloaded dependencies are added to the shared pinfile. Both
swift package pin --all and
swift package pin --new set it to true; the corresponding unpin commands both set it to false. It is true by default.