When someone tries to push (or perhaps only where there is a Conventional Commit which implies a new release?) there should be a block if the are Depbot pull requests.
This isn't to say they need to be merged, as there might be good reasons not to, but there should be an element of Yes/No/Postpone so we're getting on top of these security issues.
A related thought, which I'll include here, is whether if doing a new release where a poetry.lock is present it should be refreshed to pickup any new versions of packages that meet the restrictions in the pypoetry.toml.
When someone tries to push (or perhaps only where there is a Conventional Commit which implies a new release?) there should be a block if the are Depbot pull requests.
This isn't to say they need to be merged, as there might be good reasons not to, but there should be an element of Yes/No/Postpone so we're getting on top of these security issues.
A related thought, which I'll include here, is whether if doing a new release where a poetry.lock is present it should be refreshed to pickup any new versions of packages that meet the restrictions in the pypoetry.toml.