docs: add dependency update and lockfile policy

[aviralgarg05]

Summary

Document dependency update policy and lockfile verification workflow.

Why

Dependency hygiene is easier for new contributors when update expectations are explicit.

Tasks

• Add a short "Dependency Policy" section in CONTRIBUTING.md
• Explain when to update Cargo.lock and Python lock files
• Add a simple checklist for dependency-related PRs

Acceptance Criteria

• Policy is concise and contributor-friendly
• Guidance covers Rust + Python paths
• No conflicting instructions with existing docs

[bibhupradhanofficial]

Hi 👋 @aviralgarg05

I’d like to take ownership of this documentation enhancement and add a clear dependency update and lockfile policy to the project.

My plan is to:
1️⃣ Add a “Dependency Policy” section to CONTRIBUTING.md

• Keep it concise and contributor-friendly.
• Clearly explain when dependencies should be updated versus left unchanged.
• Define expectations around version pinning and minimal update scope.

2️⃣ Clarify Lockfile Guidance (Rust + Python)

• Explain when Cargo.lock should be committed or updated in Rust workflows.
• Provide guidance for Python lock files (e.g., when to regenerate them and how).
• Ensure instructions are consistent with current repository practices.

3️⃣ Add a Simple Checklist for Dependency-Related PRs

• Include items such as:
• Justification for dependency addition/update
• Lockfile updated (if required)
• No unnecessary version bumps
• Project builds/tests successfully after update

4️⃣ Validate Consistency

• Review existing documentation to ensure there are no conflicting instructions.
• Keep the tone aligned with the current contributing guidelines.

The goal is to make dependency hygiene explicit and reduce friction for new contributors while keeping the documentation lightweight and practical.

Please let me assign this issue under the label OSCG26.