aws-sdk-rust cargo audit should use minimum versions

[rcoh]

Currently, it will use the latest available versions, but we should pin higher versions to help customers avoid using vulnerable dependencies.

we should probably also run cargo audit in smithy-rs

[jdisanti]

PR to check minimal versions in aws-sdk-rust: https://github.com/awslabs/aws-sdk-rust/pull/605

Will look into adding this check to smithy-rs.

[jdisanti]

I'm currently questioning the value of adding this to smithy-rs. So far, the minimum versions audit in aws-sdk-rust won't pass until two things happen:

1. dev-dependencies are excluded from the audit
2. SDK examples have their dependencies upgraded, or are excluded from the audit

I spent some time investigating excluding dev-dependencies, and it looks like the only way to do this will be to contribute some development effort to cargo-audit to add that option. I experimented with auditing an empty library crate that depends on the SDK crates as a way to remove the dev dependencies, but cargo audit still considers them since it is only looking at the Cargo.lock file.

Also briefly looked at upgrading the dependencies in aws-doc-sdk-examples, and this will require a good amount of scripting given the large number of Cargo.toml files in that repo.

Taking a step back, the main goal here is to know if versions allowed by the main SDK could be vulnerable, and for that, we probably shouldn't examine the dev-dependencies nor the examples. I can at least update the aws-sdk-rust checks to only consider the sdk/ directory for now, which should at least remove the examples from consideration.