Pipfile and Pipfile.lock are no longer necessary since update.py has been permanently moved to @cu-mkp/manuscript-object.
We are seeing Dependabot alerts apparently because of the presence of these files