Stop using `:latest`

Do not use `:latest` tag for deployments.

`latest` is not a version. It is a moving label. Version control should define which external versions your system runs. If the image changes, the Compose file should change too.

Yes, upgrading manually is sometimes annoying. It is still worth it. Pinned versions give stable deployments, predictable rollbacks, and a clear upgrade path.

They also make tooling useful. Renovate can tell you a newer image exists and that your codebase still points to the old one. A pinned tag or digest is searchable. You can inspect the repository and answer simple questions: what is deployed, what changed, what should be rolled back.

With `:latest`, that control is gone. You cannot reliably track deployed versions through the codebase. You cannot easily audit outdated images. When a Docker Compose deployment breaks and you need to roll back, `:latest` turns a simple version problem into guesswork.

This applies even to self-hosting. Maybe especially there, because that is exactly where people are most tempted to be lazy.