I get a weekly email digest of GitHub's dependabot alerts for the collective and the plone orgs... what's the best way to handle these? Should I create the PRs and hope for the best? (see if tests pass, at least)
It would be great to make some progress on making sure Plone packages are not depending on packages that are vulnerable. There are probably some that are easier to resolve than others (in some cases updating to the fixed version may also require making adjustments in Plone code, if it's not a backwards-compatible update). I would start with a few PRs and see how it goes.