From 80a8563e488514864c1e6ac488c76890e64a901b Mon Sep 17 00:00:00 2001
From: Aria Desires <gankra@openai.com>
Date: Thu, 7 May 2026 15:30:37 -0700
Subject: [PATCH] Ensure all mentions of cargo-install are --locked (#21592)

There's already a preference for this in the codebase, but a few of them
have drifted away. Generally `--locked` is preferred to reduce exposure
to supply-chain attacks (and just generally improve reproducibility).

In an ideal world these dependencies would maybe even be pinned to
versions but Cargo is kinda bad at that for devtools. Still better to
use --locked than not.
---
 AGENTS.md                             | 2 +-
 docs/install.md                       | 2 +-
 justfile                              | 2 +-
 tools/argument-comment-lint/README.md | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 6939d146b0..1b5e005130 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -130,7 +130,7 @@ When UI or text output changes intentionally, update the snapshots as follows:
 
 If you don’t have the tool:
 
-- `cargo install cargo-insta`
+- `cargo install --locked cargo-insta`
 
 ### Test assertions
 
diff --git a/docs/install.md b/docs/install.md
index b7d4f0711a..0991e7d16c 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -25,7 +25,7 @@ source "$HOME/.cargo/env"
 rustup component add rustfmt
 rustup component add clippy
 # Install helper tools used by the workspace justfile:
-cargo install just
+cargo install --locked just
 # Optional: install nextest for the `just test` helper
 cargo install --locked cargo-nextest
 
diff --git a/justfile b/justfile
index ca74c2e5c6..71eed89a35 100644
--- a/justfile
+++ b/justfile
@@ -47,7 +47,7 @@ install:
 # Run `cargo nextest` since it's faster than `cargo test`, though including
 # --no-fail-fast is important to ensure all tests are run.
 #
-# Run `cargo install cargo-nextest` if you don't have it installed.
+# Run `cargo install --locked cargo-nextest` if you don't have it installed.
 # Prefer this for routine local runs. Workspace crate features are banned, so
 # there should be no need to add `--all-features`.
 test:
diff --git a/tools/argument-comment-lint/README.md b/tools/argument-comment-lint/README.md
index 1b4895e325..7270c48867 100644
--- a/tools/argument-comment-lint/README.md
+++ b/tools/argument-comment-lint/README.md
@@ -54,7 +54,7 @@ create_openai_url(None, 3);
 Install the required tooling once:
 
 ```bash
-cargo install cargo-dylint dylint-link
+cargo install --locked cargo-dylint dylint-link
 rustup toolchain install nightly-2025-09-18 \
   --component llvm-tools-preview \
   --component rustc-dev \