Pin Python requirements, dependency cooldowns

[sethmlarson]

Related to #2988. We also have many outstanding Dependabot PRs, so maybe even "weekly" is too often. Security updates will always get prioritized, so we don't have to worry too much about this time span being long.

I deleted uv.lock because it wasn't being used at all for deployment and appears to have been added accidentally? It was added in a seemingly unrelated README commit.

cc @JacobCoffee

[hugovk]

I deleted uv.lock because it wasn't being used at all for deployment and appears to have been added accidentally? It was added in a seemingly unrelated README commit.

Add it to .gitignore?

---

Looks like this weekend's pip release will add experimental support for installing from pylock.toml! pypa/pip#13876

Not necessarily suggesting waiting for that, there may be some edges that need polish, and pip-compile is a very good way to lock right now.

[JacobCoffee]

We use the uv.lock exclusively now (all of the old-style requirements.txt files were removed for this reason). used in makefile targets for docs, etc.

what we could do is migrate dockerfiles over to uv sync --frozen

[JacobCoffee]

dependabot changes +1, the rest needs undone

[sethmlarson]

@JacobCoffee Gotcha, I didn't realize it was used because it wasn't used in the Dockerfiles. I didn't look in the Makefile. I'll update this PR to use uv sync instead.