I'm generally in favor of picking up new versions automatically IFF you have enough guard rails in place to deal with the breakage whenever it occurs. You'll inevitably encounter that breakage at some point, you kind of have a three way choice when:
You can update explicitly and regularly, doing the appropriate checking at that point, but that takes a lot of discipline to do across the board You can pin and leave it until you need to upgrade, but then you're dealing with all the problems at once, less well exercised upgrade paths, and sometimes having to figure out multi step upgrades to get around all the mutual version constraints. Generally this happens at a time when you really need to get something else done and you did not plan to spend a week sorting out dependencies. You can leave versions floating and deal with any breakage as it comes up. This means only dealing with one or two issues at a time. You don't really control when, but it's less disruptive each time, and you can temporarily pin if you need to. The difficulty here is in knowing that an upgrade even happened, and noticing that it's breaking before it really fucks something up.
You can make different choices for different dependencies. It also matters whether you are only worried about compatibility, or supply chain security.