This is now updated by dependabot, with settings focussing on stability (using cooldown periods).
But currently these locked requirements are only used by:
- readthedocs
- vagrant (which i personally don't use that much anymore)
The CI tests always use the latest stuff because it uses the not-locked requirements.
Discuss what's better for CI: locked or not-locked?