It still needs a person to decide to merge a PR for a new version. So this indeed is just about the dependency upgrade policies.
But isn't that what the version definition is for? I'd argue that 1.12.4 <-> 1.12.6 should be a compatible upgrade AND downgrade, 1.12.4 -> 1.20.0 not so much. But to avoid all this is why I usually try to inline dependencies for libraries as much as possible. Basically pretending to not have any. This of course depends on whether the dependency can be isolated that way. Also a point I made many times. Just wanted to mention it - again :)
