Consider dependent crate versioning

[erichte-ibm]

Let's not have an NPM situation here, and make sure that we can automatically pull crates that get hotfixes for NastyStuff™

translation: figure out the semver in Cargo.toml to pull latest versions of crates always. Note: this may be in conflict with shipping Cargo.lock for reproducibility. Perhaps consider integrated CI with some kind of cargo audit to report and complain about compromised crates?