fix: unpin dependencies

[s0]

Currently direct dependencies are pinned to specific patch versions, as a result, projects that use this repository cannot respond to transitive dependency updates, for example #210 updates lodash to address CVE‑2020-8203, however other projects need to wait for Caporal to do this and update after a new version has been published, and cannot be more proactive to address vulnerabilities in transitive dependencies.

Other projects have been working around this by adding overrides to their package files, e.g: https://github.com/Scrivito/scrivito_example_app_js/commit/9bd42031c54a7693fdd328dc42fa979a48f3c19d

Beyond this, it looks like releases have not been pushed out recently, I'm guessing this is due to incorrectly formatted commit messages? So people who use this library are still currently stuck with CVE‑2020-8203. This change should prevent this happening going forward.