Prevent Downgrade of dependencies

[yippie]

Describe the bug

This is half a Salesforce bug because I can't believe it is allowed at all.

It seems that both Salesforce and CumulusCI both will happily allow a minor version downgrade of unlocked packages.

Reproduction steps

1. Have an Unlocked package <DGPackage> with at least 2 minor releases under the same major release (4.4 and 4.3 in my case)
2. Have a Cumulus CI project <ParentPKG> with at least 2 dependencies, one of which is the above DGPackage
3. The other dependency should also depend on DGPackage and specify a tag of 4.3
4. Run update_dependencies

Expected: version 4.4 will be the final installed version of DGPackage

Actual: Both 4.4 and 4.3 will be installed even though this is effectively installing the same package twice. Depending on the order dependencies are listed, 4.4 may be installed first and then 4.3 which will successfully downgrade the org to 4.3. This is a big problem if the ParentPKG was built using DGPackage 4.4 as it will fail to install with a dependency error even though update_dependencies was run.

Your CumulusCI and Python versions

CumulusCI version: 3.77.0 (/Users/kai.amundsen/.local/bin/cci) Python version: 3.10.9 (/Users/kai.amundsen/.local/pipx/venvs/cumulusci/bin/python)

Operating System

macOS 13.4.1

Windows environment

No response

CumulusCI installation method

None

Error Gist

No response

Additional information

No response

[yippie]

Fixed By https://github.com/SFDO-Tooling/CumulusCI/pull/3671