Only rely on shasum for dependency cache hit

[c0d1ngm0nk3y]

fixes #233, like proposed here, let's do this change in the next major update. It is not breaking, but it will change the behaviour in a subtle way. Before, it was possible that the very same dependency was downloaded again.

Summary

When checking if some dependency can be reused, it should be enough to check the shasum. There is no need to verify that the metadata is the same (the binary is).

Use Cases

This caused cache misses when the metadata was different (e.g. DeprecationDate).

Checklist

• I have viewed, signed, and submitted the Contributor License Agreement.
• I have linked issue(s) that this PR should close using keywords or the Github UI (See docs)
• I have added an integration test, if necessary.
• I have reviewed the styleguide for guidance on my code quality.
• I'm happy with the commit history on this PR (I have rebased/squashed as needed).

[anthonydahanne]

hello @c0d1ngm0nk3y
I just noticed your PR, and unfortunately I previously merged a significant change in release-2.x : #265

Can you please rebase on top of release-2.x please?
Thank you!

[c0d1ngm0nk3y]

I have updated the branch. Any comments?