Relax dependency pinning from patch to minor level only

[alerque]

One of the things I've found frustrating trying to update dependencies in my own projects (and 3rd party ones) is keeping the dependency tree free of duplicate copies of the same crate at different pinned versions. This is a notable problem for this crate in particular because it has been a number of deepnesses pinned to exact patch versions and is frequently found in conjunction with other crates that do the same. An example of this is Typst (which uses rustybuzz directly) where it depends on resvg, which in turn depends on RustyBuzz and ttf-parser as well.

I propose relaxing the main manifest to only define dependencies at the minor version level. This will make downstream dependency trees quite a bit easier to manage and allow more frequent version bumps for some projects without bloating the build tree.

In the mean time we still have a tracked lock manifest with exact patch versions for what we have most recently tested and released.

Any feelings on this guys?

[LaurenzV]

I thought that even if you specify the minor verison in Cargo.toml, as long as you don't specify the dependency with = the minor version won't be pinned? But if that's not the case, I'm fine with this change.