There's a cost for being out of date, but there's also a cost for learning the hard way whether a new version breaks prod. Pay it down like any other tech debt.
Maybe I could test literally every release version of each of my dependencies, but that isn't really my job.
Greenkeeper (and similar systems) comes to mind, too, in the polyrepo case. You can still CI with "the latest" in the polyrepo case. We have the technology to automate that. Including situations like 'let me know when the next version of my dependency that passes this test is released and send me a PR to update my pinned version when it happens'.
