Shouldn't this be any version of the direct dependency? If the crate headache
's latest version is 1.2.3
, versions >= 1.0.0, < 1.2.3
are vulnerable and the dependency specifies headache ^1.2.1
then even while 1.2.3
is not vulnerable there is a possibility that the vulnerable version of headache
(>= 1.2.1, < 1.2.3
) mixes into the final executable.