chore(deps): only update Cargo.lock, not Cargo.toml requirements

Dependabot raised the lower-bound version requirements in Cargo.toml
(arrow, tokio, aws-sdk-*, etc.) to match the new lockfile versions. That
forces our library's consumers onto newer minimum versions and broke the
MSRV check, which downgrades aws-sdk-* crates to verify they still build
on Rust 1.91 — the downgrades could no longer satisfy the bumped
constraints.

Revert all Cargo.toml changes and regenerate Cargo.lock within the
existing requirement ranges. The point of this dependabot job is to keep
the lockfile (and the binaries we ship) current on security fixes, not
to bump our public minimum versions.

Also set `versioning-strategy: lockfile-only` so future dependabot PRs
only touch Cargo.lock.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/dependabot.yml

@@ -11,6 +11,11 @@ updates:
     schedule:
       interval: weekly
     open-pull-requests-limit: 10
+    # Only update Cargo.lock, never widen/raise the version requirements in
+    # Cargo.toml. The goal is keeping the lockfile (and the binaries we ship)
+    # current on security fixes, not forcing our library's consumers onto
+    # newer minimum versions.
+    versioning-strategy: lockfile-only
     groups:
       rust-minor-patch:
         update-types:

Cargo.toml

@@ -29,7 +29,7 @@ lance-encoding = { "version" = "=7.0.0-beta.7", "tag" = "v7.0.0-beta.7", "git" =
 lance-arrow = { "version" = "=7.0.0-beta.7", "tag" = "v7.0.0-beta.7", "git" = "https://github.com/lance-format/lance.git" }
 ahash = "0.8"
 # Note that this one does not include pyarrow
-arrow = { version = "58.3.0", optional = false }
+arrow = { version = "58.0.0", optional = false }
 arrow-array = "58.0.0"
 arrow-data = "58.0.0"
 arrow-ipc = "58.0.0"
@@ -55,14 +55,14 @@ futures = "0"
 log = "0.4"
 moka = { version = "0.12", features = ["future"] }
 object_store = "0.13.2"
-pin-project = "1.1.13"
+pin-project = "1.0.7"
 rand = "0.9"
 snafu = "0.8"
 url = "2"
 num-traits = "0.2"
 regex = "1.10"
 lazy_static = "1"
-semver = "1.0.28"
+semver = "1.0.25"
 chrono = "0.4"
 
 [profile.ci]

nodejs/Cargo.toml

@@ -23,21 +23,21 @@ env_logger.workspace = true
 futures.workspace = true
 lancedb = { path = "../rust/lancedb", default-features = false }
 lance-namespace.workspace = true
-napi = { version = "3.8.6", default-features = false, features = [
+napi = { version = "3.8.3", default-features = false, features = [
     "napi9",
     "async"
 ] }
-napi-derive = "3.5.6"
+napi-derive = "3.5.2"
 # Prevent dynamic linking of lzma, which comes from datafusion
 lzma-sys = { version = "0.1", features = ["static"] }
 log.workspace = true
 
 # Pin to resolve build failures; update periodically for security patches.
 aws-lc-sys = "=0.40.0"
-aws-lc-rs = "=1.17.0"
+aws-lc-rs = "=1.16.3"
 
 [build-dependencies]
-napi-build = "2.3.2"
+napi-build = "2.3.1"
 
 [features]
 default = ["remote", "lancedb/aws", "lancedb/gcs", "lancedb/azure", "lancedb/dynamodb", "lancedb/oss", "lancedb/huggingface"]

python/Cargo.toml

@@ -15,7 +15,7 @@ name = "_lancedb"
 crate-type = ["cdylib"]
 
 [dependencies]
-arrow = { version = "58.3.0", features = ["pyarrow"] }
+arrow = { version = "58.0.0", features = ["pyarrow"] }
 async-trait = "0.1"
 bytes = "1"
 lancedb = { path = "../rust/lancedb", default-features = false }
@@ -31,12 +31,12 @@ pyo3-async-runtimes = { version = "0.28", features = [
     "attributes",
     "tokio-runtime",
 ] }
-pin-project = "1.1.13"
+pin-project = "1.1.5"
 futures.workspace = true
 serde = "1"
 serde_json = "1"
 snafu.workspace = true
-tokio = { version = "1.52", features = ["sync", "rt-multi-thread"] }
+tokio = { version = "1.40", features = ["sync", "rt-multi-thread"] }
 libc = "0.2"
 
 [build-dependencies]

rust/lancedb/Cargo.toml

@@ -50,7 +50,7 @@ lance-namespace = { workspace = true }
 lance-namespace-impls = { workspace = true }
 moka = { workspace = true }
 pin-project = { workspace = true }
-tokio = { version = "1.52", features = ["rt-multi-thread"] }
+tokio = { version = "1.23", features = ["rt-multi-thread"] }
 log.workspace = true
 async-trait = "0"
 bytes = "1"
@@ -62,9 +62,9 @@ regex.workspace = true
 serde = { version = "^1" }
 serde_json = { version = "1" }
 async-openai = { version = "0.20.0", optional = true }
-serde_with = { version = "3.20.0" }
+serde_with = { version = "3.8.1" }
 tempfile = "3.5.0"
-aws-sdk-bedrockruntime = { version = "1.125.0", optional = true }
+aws-sdk-bedrockruntime = { version = "1.27.0", optional = true }
 # For remote feature
 reqwest = { version = "0.12.0", default-features = false, features = [
     "charset",
@@ -75,7 +75,7 @@ reqwest = { version = "0.12.0", default-features = false, features = [
     "stream",
 ], optional = true }
 http = { version = "1", optional = true } # Matching what is in reqwest
-uuid = { version = "1.23.1", features = ["v4"] }
+uuid = { version = "1.7.0", features = ["v4"] }
 polars-arrow = { version = ">=0.37,<0.40.0", optional = true }
 polars = { version = ">=0.37,<0.40.0", optional = true }
 hf-hub = { version = "0.4.1", optional = true, default-features = false, features = [
@@ -93,11 +93,11 @@ semver = { workspace = true }
 anyhow = "1"
 tempfile = "3.5.0"
 random_word = { version = "0.4.3", features = ["en"] }
-uuid = { version = "1.23.1", features = ["v4"] }
+uuid = { version = "1.7.0", features = ["v4"] }
 walkdir = "2"
-aws-sdk-dynamodb = { version = "1.105.0" }
+aws-sdk-dynamodb = { version = "1.55.0" }
 aws-sdk-s3 = { version = "1.55.0" }
-aws-sdk-kms = { version = "1.101.0" }
+aws-sdk-kms = { version = "1.48.0" }
 aws-config = { version = "1.5.10" }
 aws-smithy-runtime = { version = "1.9.1" }
 datafusion.workspace = true