Okay, I believe that what we're going to do is this:
We don't change the dependency version requirements (in _auto_deps.py) unless something forces us to change them. That's because we're lazy, and not making changes is easier and less disruptive than making changes.
However, this means that what is written in _auto_deps.py is not an assertion on our part that these versions of the deps will function and be secure. Instead, it is just a record of the fact that nobody has shown us a problem with them that forced us to update them. In particular, we aren't making any particular effort to test with the older versions that we list as the minimum required versions.
So, to close this ticket, write this policy down somewhere, possibly just in a comment in _auto_deps.py, and then link to the patch that documents our policy and close this ticket.