Library dependency version specifiers aren't for fixing vulnerabilities