Related to this, should we pin all the development dependencies to strict versions and let someting like dependabot keep them updated? That way we would avoid breakages like what happened here: #1048 (comment)

I think there's a wider discussions to be had with @tomchristie about how dev dependencies should be managed and pinned. I do remember we've been affected by breaking changes in those in the past (though I don't remember how exactly), and I'd agree a more strict pinning of them could be beneficial. But managing and updating those pins manually in a consistent way across repos sounds difficult.

So dependabot could be a nice way forward… I think it would just need some playing around to see if it could work for us w/o too much overhead. Eg maybe configure and enable it here first and see how that goes? :-)

@florimondmanca Good point about the dependencies. I've updated my fork to pin all the dependencies and also enabled dependabot to bump them automatically. I'll report in a few days (probably by opening a separate issue) to see how it goes.