dependabot.com/ is worth mentioning - it auto-creates pull requests for new versions.
Security is not the only driver, there's a lot of commits making your packages better all the time that you don't want to miss. Applying updates regularly also makes sure you know what you need to do should you need to quickly update in case of a new critical vulnerabilty.
I have watched developers struggle to update from 5 year old versions, it's not a pretty sight ;)
dependabot.com/ is worth mentioning - it auto-creates pull requests for new versions.
Security is not the only driver, there's a lot of commits making your packages better all the time that you don't want to miss. Applying updates regularly also makes sure you know what you need to do should you need to quickly update in case of a new critical vulnerabilty.
I have watched developers struggle to update from 5 year old versions, it's not a pretty sight ;)
I've added Dependabot, nice! And I agree, 100%!