What's your approach to managing dependency drift in long-running Python services?

We've got a Python microservice that's been in prod for ~3 years. Started on Django 3.2, now on 4.2, but the gap between our pinned versions and upstream keeps widening. Our current approach: quarterly audit, manual testing, bump major deps one at a time. It works but it's slow and error-prone. How do you handle dependency drift without either (a) freezing forever on old versions, or (b) breaking things by chasing latest? Interested in specific tooling — Dependabot-style for Python, custom scripts, or CI-based drift detection.