Without this flag, cargo would update the dependencies and the Cargo.lock file if necessary. This could make the build non-deterministic, e.g. if one version of the build updates a dependency to version 1.1 and the next build updates to version 1.2.

Using --locked enforces that dependencies are downloaded exactly as specified in Cargo.lock, making builds deterministic.

If users want to update the dependencies, they can call e.g. cargo check in the root, which updates dependencies

1. Run ninja normally -> works fine
2. Update a random dependency, e.g. set http = "0.1" in abc-rust-error/Cargo.toml
3. Make sure Cargo.lock is unchanged (some IDEs update it automatically)
4. Run ninja again -> build fails with the lock file <bitcoin-abc>/Cargo.lock needs to be updated but --locked was passed to prevent this