Dev requirements are not being updated

[StevenMaude]

• Dependabot isn't configured.
• Also Dependabot doesn't work with Python 3.8, even if configured.

Should we use the update-dependencies action instead?

Edit: To avoid errors from Dependabot security updates, we've disabled the "Dependabot security updates" option for this repository, for now. It was only checking for dev requirements.

If we fix #280 and switch back to Dependabot, we should re-enable Dependabot security updates.

[lucyb]

Would moving over to UV help here?

[StevenMaude]

Would moving over to UV help here?

I think no more than switching to the update-dependencies action even with what we have already. We could at least run pip-compile regularly then.

We're still limited in that packages we rely on may have already dropped, or in future may reasonably drop, Python 3.8 support as it's now end of life (#280) though.

Upgrading Python would also allow Dependabot to work here, but we probably don't want to use Dependabot anyway.