Switch bumping `cargo` security versions to using `cargo`'s `--precise` flag

[jeffwidman]

We want to move toward leveraging native package manager functionality where possible rather than re-implementing it in Ruby. Beyond being more DRY, it generally lets us sidestep a lot of maintenance / edge-case bugs.

It looks like cargo update supports a --precise flag that bumps a dependency to a specific version number.

We should explore switching to that for bumping security vulnerabilities.

Today we do the following for rust security updates:

1. query https://crates.io/ for available versions
2. filter for non-vulnerable versions
3. find the lowest remaining version
4. use Ruby gsub() to bump that in the manifest/lockfile

We should flip step 4 to using cargo directly via this --precise flag.

Related:

• Switch bumping cargo indirect deps via cargo's --aggressive flag #6426

[github-actions]

👋 This issue has been marked as stale because it has been open for 2 years with no activity. You can comment on the issue to hold stalebot off for a while, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.