Lately my first response to a Dependabot CVE alert, and a fair few of the routine version bumps, has been to check whether I still need the dependency at all before looking at what changed in it.

Solid advice.

Tony Meyer @tonyandrewmeyer