SE-0145 recommends that libraries should not check in the `Package.pins` file, and that this even may become a warning. That said, it seems that `swift package init --type=library` should enforce this by default. Most obvious solution is just add "Package.pins" to the default `.gitignore` that gets created. Another option would be to automatically run `swift package pin --disable-autopin`.
For existing libraries, when they are upgraded to the new SwiftPM automatic pinning will be on by default and "Package.pins" will not be in the `.gitignore`. This causes all existing libraries to violate the recommendation unless user action is taken. Perhaps a broader solution to both this and the previous issue is just to have automatic pinning default to off for library targets and to on if any (non-test) executable targets exist. Is this way off base?