[roca]

If your project has a Cargo.lock file checked into its repo, then everyone checking that out will download the same code for all dependencies (unless someone manages to compromise the crates.io package archive). That is very far from "the least reproducible thing ever".

[microtonal]

Cargo.lock also contains crate hashes. So, if someone compromises crates.io and tampers with a crate, you would notice.