> I want to update my dependency for my tiny service for a security patch
If the API changed it's not a security patch... Why would a change that only fixes a security bug cause tests to fail?
Sounds like this is more a matter of needing to cherry-pick temporarily and then actually pushing for the codebase to update, probably by the security team.
Sometimes you need to work with other people, that might necessitate doing "ugly" things to get the job done.
Yes, but very often you are trucking along just fine with some version of a dependency and then all of a sudden it gets a CVE and the fix has only been applied to the next major version and not backported because the version you are on is no longer supported. And now you are in dependency update cascading hell.
If the API changed it's not a security patch... Why would a change that only fixes a security bug cause tests to fail?
Sounds like this is more a matter of needing to cherry-pick temporarily and then actually pushing for the codebase to update, probably by the security team.
Sometimes you need to work with other people, that might necessitate doing "ugly" things to get the job done.