If you consciously import it, declare it as your own dependency too.
Some amount of implicit re‐exporting is usually necessary. That whole problem domain is a bit of a mess right now though:
This is not Swift‐specific. Even if all you do is reduce the range of a dependency you declare compatibility with, you’ve reduced the range of that same dependency that your clients can use at the same time as your package. The general principle of semantic versioning is that your version only represents your own vended API. If your client discovers they care about the differences in a sub‐dependency, they can declare it as their own dependency and select whatever range they want. It may restrict them from updating yours, but nothing breaks in their code. If they don’t notice, and their client doesn’t notice, and their client’s client doesn’t notice, then their client’s client’s client still has the same recourse to declare it themselves, so nothing is ever broken.
See also: semver.org’s own FAQ entry