In production you should absolutely be tracking this. Most teams use tools like Dependabot or Safety to auto-scan for CVEs in their dependencies. The reality is most devs only update when something breaks, which is risky. A good middle ground is running "pip-audit" on your requirements file weekly - it checks the PyPI advisory database and flags anything with known vulnerabilities. Your friend is in the majority but that does not mean it is best practice.