Make Dependabot ignore pinned versions

Explicitly list the package versions Dependabot should not update. This way whenever we do update a package to a newer version (because e.g. we have Rust 1.61), Dependabot will pick them up again, even if we forgot to update the file.

Untested, obviously. Not sure if this is the right approach, but it's in the documentation.