constrain importlib-metadata versions in twine lockfile (Cherry-pick of

#21894) (#21905)

```
Lockfile diff: twine.lock [twine]

==                    Upgraded dependencies                     ==

  certifi                        2024.8.30    -->   2025.1.31
  charset-normalizer             3.3.2        -->   3.4.1
  cryptography                   43.0.1       -->   43.0.3
  idna                           3.8          -->   3.10
  jaraco-functools               4.0.2        -->   4.1.0
  keyring                        25.3.0       -->   25.5.0
  nh3                            0.2.18       -->   0.2.20
  pkginfo                        1.11.1       -->   1.12.0
  pygments                       2.18.0       -->   2.19.1
  rich                           13.8.0       -->   13.9.4
  urllib3                        2.2.2        -->   2.2.3
  zipp                           3.20.1       -->   3.20.2

==                !! Downgraded dependencies !!                 ==

  importlib-metadata             8.4.0        -->   7.2.1
```

fixes #21893

NOTE: We should probably move to twine >5.1, but this is intended to be
the "smallest" possible fix for 2.24 backporting.

Co-authored-by: cburroughs <[email protected]>