Update dependencies documentation (#21511)

* chore(): install hashin on dev to pip other deps.

* Update dependencies documentation

* Update docs/topics/development/dependencies.md

Co-authored-by: Mathieu Pillard <diox@users.noreply.github.com>

---------

Co-authored-by: Mathieu Pillard <diox@users.noreply.github.com>

docs/topics/development/dependencies.md

@@ -7,20 +7,14 @@ We use pip to manage dependencies and hashin to lock versions. We use npm to man
 
 ### Adding Python Dependencies
 
-We have 2 requirements files for python dependencies:
+We use `hashin <https://pypi.org/project/hashin>`_ to manage package installs. It helps you manage your ``requirements.txt`` file by adding hashes to ensure that the installed package versions match your expectations.
 
-- prod.txt
-- dev.txt
-
-Prod dependencies are used by our django app in runtime.
-They are strictly required to be installed in the production environment.
-
-Dev dependencies are used by our django app in development or by tools we use for linting, testing, etc.
+hashin is automatically installed in local developer environments.
 
 > If you add just the package name the script will automatically get the latest version for you.
 
 ```bash
-hashin -r <requirements file> <dependency>
+hashin -r {requirements} {dependency}=={version}
 ```
 
 This will add hashes and sort the requirements for you adding comments to
@@ -29,9 +23,34 @@ show any package dependencies.
 When it's run check the diff and make edits to fix any issues before
 submitting a PR with the additions.
 
-### Upgrading Python Dependencies
+### Managing Python Dependencies
 
-We mostly rely on dependabot for this. TBD Add more details.
+We have 2 requirements files for python dependencies:
+
+- prod.txt
+- dev.txt
+
+Prod dependencies are used by our django app in runtime.
+They are strictly required to be installed in the production environment.
+
+```bash
+make update_deps_prod
+```
+
+Dev dependencies are used by our django app in development or by tools we use for linting, testing, etc.
+
+```bash
+make update_deps
+```
+
+We use dependabot to automatically create pull requests for updating dependencies. This is configured in the `.github/dependabot.yml` file targeting files in our requirements directory.
+
+### Managing transitive dependencies
+
+In local development and in CI we install packages using pip, reading from one or more requirements files and always passing the `--no-deps` flag.
+This prevents pip from installing transitive dependencies.
+
+We do this because it gives us control over the full dependency chain - we know exactly which version of what package is installed so we can fully reproduce & trust environments.
 
 ## Frontend
 

requirements/dev.txt

@@ -261,3 +261,6 @@ ruff==0.2.2 \
 typing_extensions==4.10.0 \
     --hash=sha256:69b1a937c3a517342112fb4c6df7e72fc39a38e7891a5730ed4985b5214b5475 \
     --hash=sha256:b0abd7c89e8fb96f98db18d86106ff1d90ab692004eb746cf6eda2682f91b3cb
+hashin==0.17.0 \
+    --hash=sha256:4c03b3b1520a5117d8fdc26ae83c1267bc40da9925cd89b56b437bcb02bebb53 \
+    --hash=sha256:baa00fe209ee6800a7d09ffa3198b31d71ab1503730e7c172b7eccd01b6ec47e