You'd think a lock file would cause subsequent pulls of dependencies to be... locked to whatever versions, revisions, etc. listed in the lockfile, but nope! It treats the lockfile like npm would package.json and has a separate toml file for "constraints".
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!