rewrites the installation of packages from scratch to solve several issues with
the existing implementation:
- does not need to choose between lockfile and jsonnetfile anymore. The
jsonnetfile what to be installed, while the lockfile also has versions and
checksums of all packages, even nested ones.
- the lockfile is regenerated on every run, preserving the locked values
- downloaded packages are hashed using sha256 to make sure we receive what we
expect. If files on the local disk are modified, they are downloaded again.
So far, `pkg` and `pkg/jsonnetfile` had overlapping functionality when it came
to choosing and loading jsonnetfiles.
This fully switches to the separate package `pkg/jsonnetfile` that seems to be
created for exactly this purpose
Refactors the dependency parsing function chain to evaluate the type of the
dependency right in `parseDependency` to make it clearer what is going on while
reading the code. Before, functions were returning if it was a different type,
which was not that clear from `parseDependency`.
Previously even when installing dependencies from a lockfile,
jsonnet-bundler would attempt to resolve versions of transitive
dependencies to their latest floating version. Instead when a lock-file
is specified jsonnet-bundler should just install the specified versions.
