You should be mostly OK on Console, joomla-framework/console@7032ec0...master is the diff from where the lock file says things are at now (the big change is the app handles uncaught Throwables with output instead of relying on an event listener to do it).

Application shouldn't be an issue on its own, it's going to introduce deprecations galore though because of deprecating the Input access as a property. joomla-framework/application@3d549e0...2.0-dev for the diff.

Combined, with the CMS environment's tight coupling to Factory::getApplication()->input, that's where you start running into problems. Even this shouldn't prevent upgrading the Console package to current version, it's already unaware of the Joomla\Input\Input class anyway and as long as Joomla\Application\AbstractApplication is at a version where it is input aware then nothing will be terribly broken.

Because of this issue, OAuth1 and OAuth2 shouldn't be updated because they were modified to use the interfaces, see joomla-framework/oauth1@36da2b8...2.0-dev and joomla-framework/oauth2@98ff498...2.0-dev

From #27996 the only other questionable update is the Event package if Joomla\Event\DelegatingDispatcher is in use anywhere (which, it shouldn't be). Everything else should be safe per SemVer and defined version constraints.

Fixed in #26820