In theory we should upgrade packages as soon as they have a new version available, if nothing else to get security patches. Just as well, having lock files can prevent us from upgrading into a malicious versions created by supply chain attacks.

We have [pipeline-definition/constraints.txt](https://gitlab.com/cki-project/pipeline-definition/-/blob/9871c2e0735acc4d44d8a3253b217e0f2a2b7343/constraints.txt) with a few dependency locks, where a new line is created whenever we have a compatibility problem with one of the dependencies.

Simone raised the question:

> Could we lock the dependencies in each CKI project instead?

• Differences between locking deps for libraries (cki-lib, dw-api-lib, reporter) vs applications (cki-tools, receiver, reporter)

• Differences with Node

Jira: CKI-6973(https://issues.redhat.com/browse/CKI-6973)