rewrites the installation of packages from scratch to solve several issues with
the existing implementation:
- does not need to choose between lockfile and jsonnetfile anymore. The
jsonnetfile what to be installed, while the lockfile also has versions and
checksums of all packages, even nested ones.
- the lockfile is regenerated on every run, preserving the locked values
- downloaded packages are hashed using sha256 to make sure we receive what we
expect. If files on the local disk are modified, they are downloaded again.
Refactors the dependency parsing function chain to evaluate the type of the
dependency right in `parseDependency` to make it clearer what is going on while
reading the code. Before, functions were returning if it was a different type,
which was not that clear from `parseDependency`.
Previously even when installing dependencies from a lockfile,
jsonnet-bundler would attempt to resolve versions of transitive
dependencies to their latest floating version. Instead when a lock-file
is specified jsonnet-bundler should just install the specified versions.
