chore: check-in Cargo.lock (#2208)

* chore: check-in Cargo.lock

This commit checks the `Cargo.lock` file into git.

Version controlling `Cargo.lock` makes e.g. our CI builds more reproducible,
where two consecutive CI runs on the same commit use the same set of
dependencies, even if a compatible update of a dependency was published in
between the two runs.

This is also helpful when cutting patch releases of old Neqo versions, where
dependencies since shipped a breaking change in a patch version, e.g. a MSRV
update. See for example pinned dependencies in a recent Neqo patch release to
the Neqo v0.6 family.

mxinden@66e60f3

While previously the recommendation by the cargo team was for libraries to not
check in their `Cargo.lock`, this recommendation has since been replaced by "do
what is best for the project".

https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html

* Update url to v2.5.3

See corresponding mozilla-central patch https://bugzilla.mozilla.org/show_bug.cgi?id=1932137.

* Update zerovec-derive to v0.10.3

* Update shlex to v1.3.0

* Update to url v2.5.4

.github/dependabot.yml

@@ -7,6 +7,9 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    # Disable all non-security updates.
+    # <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit>
+    open-pull-requests-limit: 0
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:

.github/workflows/check.yml

@@ -129,6 +129,13 @@ jobs:
           path: simulation-seeds
           compression-level: 9
 
+  check-cargo-lock:
+    name: Ensure `Cargo.lock` contains all required dependencies
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - run: cargo update -w --locked
+
   bench:
     needs: [check]
     if: >

.gitignore

@@ -4,4 +4,3 @@
 /.vscode/
 /lcov.info
 /target/
-Cargo.lock