Oh good point, I didn't think of transitive dependencies. A lot of languages i've worked with unfortunately have a 'do not check in the lockfile' culture, and a common 'blow away the lockfile when the package manager gets stuck' workflow, so that does concern me. Perhaps Cargo is better than average though, and the lockfile never needs nuking, providing this safety. This sounds like a good reason to check in the lockfile! Thanks for the response.