Add lockfile to prevent unexpected dependency changes

[joshuacc]

Because ahkpm uses git for dependencies, almost everything that we rely on to identify the correct version of a dependency's code is mutable. That means that if a user reinstalls branch:main, the code may have changed out from under the user without their knowledge. To mitigate this, we should add a lockfile (ahkpm.lock?) which records, at a minimum, the exact commit that a dependency resolved to when it was first installed. And when reinstalling that dependency, we should use that commit rather than whatever commit version identifier now resolves to.

Upgrading direct dependencies should be a conscious choice, not accidental or automatic.

This involves the following:

• Deciding on a lockfile format
• Recording/updating the lockfile on installations
• Install purely from the lockfile if there are no dependency changes
• Using the contents of the lockfile to guide ahkpm install when a dependency's version has changed
• Using the contents of the lockfile to guide ahkpm install when there is a new dependency

[joshuacc]

With #74 merged, the biggest risk and annoyance has been mitigated, I am closing this as done. However, I am also opening #75 to continue tracking the remaining pieces.