Is your feature request related to a problem or challenge?

Broken out of a discussion on a PR here:

• Minor: Document the rationale for the lack of Cargo.lock #14071 (comment)

As described in https://github.com/apache/datafusion?tab=readme-ov-file#dependencies-and-a-cargolock

DataFusion currently does not check in Cargo.lock which was the recommendation for earlier versions of Rust

@mbrobbel has a good point here #14069 (comment) that the guidance for Cargo.lock and library files has changed

See https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html

Describe the solution you'd like

TLDR it sounds like the rust team now suggests always committing Cargo.lock and letting dependabot handle updates. That seems like a good idea to me

@gatesn suggested

Just my two cents, but I have found Renovate to be much more configurable. Here's an example of a lock file maintenance PR: vortex-data/vortex#1818

Though One thing we have to be aware of in DataFusion is that as part of the Apache security posture, only certain third party actions are allowed -- we would have to double check Rennovate

Describe alternatives you've considered

No response

Additional context

No response