Library dependency version specifiers aren't for fixing vulnerabilities
Summary
A blog post argues that library dependency version specifiers should be used for compatibility, not for enforcing security upgrades. It uses urllib3 as an example to show how widespread vulnerability implications could occur if libraries forced upgrade through dependency ranges, and that users should manage dependencies themselves.