Is this normal behavior that cargo install don't respect lock file and downloads/compiles newest versions of dependencies? There's no versions specified in toml file.
Cargo.lock isn't included in the package uploaded to crates.io, so there's no way for cargo install to use the lockfile for these packages. This feels like a bug, especially because installing the same package using cargo install --git <repo> will correctly use the lockfile.
I filed an issue to for this: Packages for binary crates should include Cargo.lock · Issue #2263 · rust-lang/cargo · GitHub
Thanks!