Fortunately, they fixed dependency management first, so you can simply stop updating any dependency that adopts generics!

Cool and what happens with security updates?

Libraries that don't do point-release security updates for major versions should not be trusted, or used in production.

Libraries that do release security updates, but introduce new language features like generics in those point-releases also shouldn't be trusted, and have no place in production. Why should I upgrade my language version to get a security fix?

Yes. Because if the code works now then it doesn't need generics, so the only reason for adding generics immediately is because the author wants to play with the new toy. And I don't need that kind of attitude in code I rely on.