Report newly held back dependencies on all commands

[epage]

Split out of #9930 for RFC #3537 for a more focused conversation

We need to make sure users know when Cargo selects old dependencies so users can make a conscious choice on their risks. This affects both MSRV and semver

[epage]

For performance, we can leverage the "is this changed" check that is part of write_pkg_lockfile.

This gets me thinking, should we report all dependency changes on all commands?

• If you don't have a lockfile already, we likely don't want to report everything as that would be noisy
  • We could put this behind --verbose
• We'd need to modify the language of the messages so they are understandable in other contexts, like changing "Adding foo v1.0.0" to "Adding dependency foo v1.0.0"
• I wonder if we should also put "Remove" messages behind verbose

Example:

1   1         Updating `dummy-registry` index
    2    +      Adding dependency baz v0.0.1
2   3      Downloading crates ...
3   4       Downloaded baz v0.0.1 (registry `dummy-registry`)
4   5         Checking baz v0.0.1
5   6         Checking foo v0.0.1 [..]
6   7         Finished [..]

[epage]

Started a zulip thread to raise visibility: https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/How.20to.20report.20.22held.20back.22.20dependencies.20from.20MSRV.20resolver