document best security practices for dependencies when installing dlt

[rudolfix]

Background
dlt has very lax dependency requirements - and that is on purpose. We want this library to run everywhere.

This approach needs to be explained in the docs. There are best practices our users should follow to keep their deployments without vulns. We can provide further help by publishing freezes of our lockfile that we checked ourselves.

What we need to do:

1. We must have our own lockfile checked - dependabot process must work
2. We need a new section in docs on security ie. Security best practices.
3. We should publish stable freezes from our lockfile.

Docs:
ie. "Using dlt/Security best practices/Keep your dependencies safe"

1. We explain that dlt accepts very broad set of dependency versions. And that keeping dependency clean can only by done by the user.
2. We recommend to use the lock file to freeze deps + dependabot + not upgrade automatically, only when vulns appear
3. We describe our own process of vetting the dependencies.
4. We publish freeze with vetted dependencies for

• dlt without any extras ie. uv export --format requirements-txt --no-hashes --no-default-groups --no-editable --frozen --no-annotate
• dlt with all the extras

this may be useful to start a new dlt project ie. with dlt init. ie. uv add -r requirements.txt will seed pyproject.toml and lockfile with tried dependencies.