build: pin versions of Nimble packages

[ee7]

Our configlet.nimble currently contains

configlet/configlet.nimble

Lines 10 to 13 in a7c648f

	requires "nim >= 1.4.8"
	requires "parsetoml"
	requires "cligen"
	requires "uuids >= 0.1.11"

showing that, currently, we just use the latest version of the Nimble packages parsetoml, cligen, and uuids. This makes the build less reproducible, and allows buggy/malicious updates to these dependencies to affect configlet.

We're in this situation because, unfortunately, Nimble doesn't fully support pinning a fixed hash. It's possible to write e.g.

requires "parsetoml == 0.6.0"

and this is probably an improvement, but nothing stops someone with write access to parsetoml from tagging a different commit as 0.6.0.

Some possible solutions:

1. Use git submodules (or similar).
2. Use == for each Nimble dependency in the Nimble file, and then make the tests fail if the installed package is not as expected (to catch the re-tag case).
3. Add an extra build script that clones each package repo and installs a fixed version. Then, the dependency is already satisfied when nimble build is run.
4. Wait for Nimble to support lock files - this is hopefully coming in the not-so-distant future (see giant PR: https://github.com/nim-lang/nimble/pull/913/files).
5. Pin commit refs of packages in the .nimble file, even though it isn't recommended. Edit: this is what we did (see d6d7283).

[ee7]

4. Wait for Nimble to support lock files - this is hopefully coming in the not-so-distant future (see giant PR: https://github.com/nim-lang/nimble/pull/913/files).

This PR was merged, and that change will be in Nim 1.6.0. See https://forum.nim-lang.org/t/8404

[ErikSchierboom]

Nice! The first RC has just been released, that's great