We currently don't check in Cargo.lock - this means that our CI breaks when downstream packages do and we have to maintain our own patch file to verify MSRV compatibility.  It's generally recommended to check in Cargo.lock to avoid these problems; we should consider moving to that.

If we do that, we'll also want to consider adding a new Evergreen task specifically to compile against latest version of dependencies to catch breakages in a controlled way; this would also go nicely with something like dependabot (RUST-557).