With dependabot and rust, if you specify X.X then minor releases won't be bumped, if minor releases would like to be included then X.X.x should be specified,

Conversely at a coarser granularity, there's no need for Dependabot to constantly be bumping those dependencies, as users will get the latest version automatically, which is what the current version requirements are optimizing for. I'd call that "working as intended".