The package.json file specifies unpinned dependencies.

The package-lock.json or yarn.lock or similar specifies the pinned dependencies.

Correct.

But neither the package-lock.json or the yarn.lock file is part of what you get when you create an angular project using the angular cli, meaning that the versions aren't pinned from googles side.

A. Nobody wants that. The reality is you're going to be using dozens of other libraries and will welcome wiggle room on how many versions your output includes. You want the list to be consistent and versioned, but you don't need the exact same one as Google.

B. If you really want to know what Angular is being tested with, see https://github.com/angular/angular/blob/master/yarn.lock