Minimal dependency versions

[tannaurus]

Description

Looking at sigstore-rs's Cargo.toml today, most of the dependencies use highly specific version numbers. As someone who uses sigstore-rs downstream, this leaves my application in a bit of a bind. While it's not an immediate issue, I fear that in the future we will depend on another crate that restricts the use to certain versions, resulting in a failure to compile.

It would be nice to see crate versions be reevaluated before 1.0.

Jon Gjengset sums this problem up well in this paragraph of Rust for Rustaceans, a book I will quote here in exchange for praising it and recommending everyone that reads this issue purchase their own copy and subscribe to his Youtube channel (please don't sue me Jon)

First, consider the case where you add a dependency on hugs = "1.7.3",
the latest published version. Now imagine that a developer somewhere
depends on your crate, but they also depend on some other crate, foo, that
itself depends on hugs. Further imagine that the author of foo is really careful
about their MSRV policy, so they depend on hugs = "1, <1.6". Here, you’ll run
into trouble. When Cargo sees hugs = "1.7.3", it considers only versions >=1.7.
But then it sees that foo’s dependency on hugs requires <1.6, so it gives up and
reports that there is no version of hugs compatible with all the requirements.