Add option to disable transitive dependency resolution

[dillon-giacoppo]

At the moment we pass the requirements.txt directly into pip wheel. This will automatically resolve transitive dependencies which we then install.

This behavior is not ideal as pip has a naive resolution mechanism of "first found". This can lead to unintended version bumps which break the hermetic promise of Bazel. Dependency resolution is also an expensive operation, especially for PyPI packages that need to be built.

It should be considered whether dependency resolution should be opt-in by default, for performance and hermiticity. This perhaps goes hand in hand with a "pin" concept similar to rules_jvm_external.

Note, this is not a proposal to remove the automatic dependency linking of pip packages once they are installed. i.e there should be no need to specify transitive dependencies in the deps of py targets.

[jin]

FWIW, if you're going with the pinning concept of r_j_e, I recommend using .bzl as the lockfile format instead of JSON for better interoperability with the rest of the Bazel tooling.