Shouldn't this be any version of the direct dependency? If the crate headache's latest version is 1.2.3, versions >= 1.0.0, < 1.2.3 are vulnerable and the dependency specifies headache ^1.2.1 then even while 1.2.3 is not vulnerable there is a possibility that the vulnerable version of headache (>= 1.2.1, < 1.2.3) mixes into the final executable.