It turns out that the Cargo.lock file here resolved many transitive dependencies differently from their resolutions in stellar-core (even though we pinned direct dependency versions -- this doesn't handle indirect dependencies).
I wrote a tool https://github.com/graydon/check-lockfile-intersection that analyzes pairs of lockfiles and tells you which differences exist, and then went through soroban-env's lockfile aligning it with stellar-core's.
I included in this an alignment (in Cargo.lock) on curve25519-dalek (from 4.1.2 -> 4.1.1 which is what's in core). The requirement (in Cargo.toml) on curve25519-dalek was earlier (in 1999a9cf16a53137da69287a5e8c1c0c76d370f6) weakened to allow 4.1.1 or 4.1.2, due to some build breakage that was preventing docs.rs from compiling us when we provided a pinned requirement =4.1.1. As far as I can tell, docs.rs will ignore Cargo.lock and re-resolve the requirement in Cargo.toml, so it should still build 4.1.2. Though we'll see!
(I also downgraded an overzealous requirement specified in soroban-simulation's Cargo.toml file)
It turns out that the Cargo.lock file here resolved many transitive dependencies differently from their resolutions in stellar-core (even though we pinned direct dependency versions -- this doesn't handle indirect dependencies).
I wrote a tool https://github.com/graydon/check-lockfile-intersection that analyzes pairs of lockfiles and tells you which differences exist, and then went through soroban-env's lockfile aligning it with stellar-core's.
I included in this an alignment (in Cargo.lock) on curve25519-dalek (from 4.1.2 -> 4.1.1 which is what's in core). The requirement (in Cargo.toml) on curve25519-dalek was earlier (in 1999a9cf16a53137da69287a5e8c1c0c76d370f6) weakened to allow 4.1.1 or 4.1.2, due to some build breakage that was preventing docs.rs from compiling us when we provided a pinned requirement
=4.1.1. As far as I can tell, docs.rs will ignore Cargo.lock and re-resolve the requirement in Cargo.toml, so it should still build 4.1.2. Though we'll see!(I also downgraded an overzealous requirement specified in soroban-simulation's Cargo.toml file)