relax pyproject dependency versions and introduce requirements.txt

[williballenthin]

closes #2053 closes #2079

    # As a library, capa uses lower version bounds
    # when specifying its dependencies. This lets
    # other programs that use capa (and other libraries)
    # to find a compatible set of dependency versions.
    #
    # We can optionally pin to specific versions or
    # limit the upper bound when there's a good reason;
    # but the default is to assume all greater versions
    # probably work with capa until proven otherwise.
    #
    # The following link provides good background:
    # https://iscinumpy.dev/post/bound-version-constraints/
    #
    # When we develop capa, and when we distribute it as
    # a standalone binary, we'll use specific versions
    # that are pinned in requirements.txt.
    # But the requirements for a library are specified here
    # and are looser.
    #
    # Related discussions:
    # 
    #   - https://github.com/mandiant/capa/issues/2053
    #   - https://github.com/mandiant/capa/pull/2059
    #   - https://github.com/mandiant/capa/pull/2079

Checklist

• [x] CHANGELOG updated
• [x] No new tests needed
• [x] Documentation updated

[williballenthin]

@uckelman-sf please review, too.

[williballenthin]

edit: works as desired

---

Need to verify that Dependabot will update requirements.txt for us, but I'm pretty sure they will. May also have to teach them not to touch the pyproject default profile, but we'll tune that when it becomes a problem.

[williballenthin]

We should do the same things to floss, viv utils, dncil, etc. and perhaps make it standard practice (if it works).

[mr-tz]

g2g?

[uckelman-sf]

This looks good; I'm running it through our testing now.

Thanks very much for making the change!