use explicit carets in Cargo files to work around Dependabot

[davepacheco]

When Cargo looks at dependency semver strings, it treats strings with no operator as having an implicit leading caret. However, Dependabot seems not to treat it this way, leading to the problems I mentioned in #156.

This change adds an explicit caret to all of our implicit caret dependencies. I also went back and undid the recent Cargo.toml changes that Dependabot made. This change should be safe because we tested these versions a week ago (and this PR will test them again). The benefit is that it eases the constraint on consumers, since we accept a wider range of versions.

Going forward, the hope is that:

• For Dropshot users, it behaves like other libraries: Cargo.toml is only updated when we really depend on a newer version of something or when a semver-incompatible dependency update comes out. This allows consumers to use a range of versions.
• By using Dependabot (and working around this issue), we also get the benefit of finding out pretty quickly when dependency changes have broken Dropshot
• By checking in Cargo.lock, when we find out about such breakage, it's in a Dependabot PR, not because the "main" branch build has broken.

I'm not totally sure whether this will work. I'm going by a few data points from #156 and dependabot/dependabot-core#4009. But this is pretty low risk and easy to undo.

[davepacheco]

Depends on #163.

[davepacheco]

I'm less optimistic this will work after this comment. It may be time to look at Renovate instead.