Cargo.lock (as pretty much all other "lock" files used to pin versions) are a pain in the back and create more problems than they solve. I've absolutely no idea why people endorse (nay, mandate) such a kludge at all for regular uses (i.e. every environment which does not depend on reproducible builds) and people refraining from maintaining one have nothing but my fullest sympathy.
Nevertheless to maintain Cargo.lock you are depending on having a reliable mechanism to update the hashes and yanking a package breaks that mechanism.