The link inside .gitignore states:

If you’re building a non-end product, such as a rust library that other rust packages will depend on, put Cargo.lock in your .gitignore. If you’re building an end product, which are executable like command-line tool or an application, or a system library with crate-type of staticlib or cdylib, check Cargo.lock into git.

There's even a whole FAQ section called]

Why do binaries have Cargo.lock in version control, but not libraries?

Yet .gitignore in the template says

Remove Cargo.lock from gitignore if creating an executable, leave it for libraries

And the lockfile is not checked in.