We just fixed an issue with Volta’s continuous integration tests — and, I think, also with the project “for real”! — where our Windows build was failing because the version of cargo-wix we were using was transitively depending on some packages which have started using a more recent MSRV than ours.

By default, cargo install does not use the lock file from the package being installed (per the docs). There are reasons for this, some of them historical and some of them contentious, but as a practical matter, using --locked avoids a lot of the kinds of problems we saw with cargo-wix on Volta this week.

You should probably use --locked with cargo install by default for tools you install locally, because that guarantees you are getting the same thing that the author used and presumably tested against. It is also a reasonably good default for your CI tests. That said, you may also want to have a CI job which does not use --locked to give you early signal about whether you will be in for a bad time at some point in the future.