Comment 2 for bug 1997545

OpenStack assumes security-sensitive deployments are consuming dependencies of its projects from a distribution which patches security vulnerabilities in them. As such, we don't backport changes to stable branches related to supporting different versions of dependencies, and expect downstream distributions to maintain secured forks of those dependencies as necessary. We freeze the versions of dependencies we test with at release time, in order to stabilize our CI for the corresponding stable branches and to emulate as closely as possible what versions are being carried by distributions contemporary with the initial release.

This is probably a duplicate of already public bug 1955556, but I'll let the Horizon reviewers confirm before switching it to public.