Fixes comma support in the lockfile

[arcanis]

The lockfile format doesn't currently escape commas in ranges, which leads to lockfile corruption when they contain some (since we already split on commas entries with multiple descriptors).

This diff addresses that by making sure we escape commas when serializing multikeys.

---

Note

Medium Risk
Changes lockfile key serialization/deserialization rules to introduce escaping for commas/backslashes, which could impact reading/writing lockfiles across versions if edge cases aren’t handled correctly.

Overview
Prevents lockfile corruption when descriptor strings contain commas (e.g., comma-separated PyPI ranges) by escaping , and \\ when serializing MultiKey values and updating deserialization to correctly unescape them while preserving unknown escapes for backward compatibility.

Adds an acceptance test that runs install twice with a comma-separated pypi: range to ensure lockfile round-trips cleanly.

^{Reviewed by Cursor Bugbot for commit 33eb8f8. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

⏱️ Benchmark Results

gatsby install-full-cold

Metric	Base	Head	Difference
Mean	2.463s	2.462s	-0.07% ✅
Median	2.458s	2.459s	+0.06% ⚠️
Min	2.399s	2.380s
Max	2.672s	2.563s
Std Dev	0.054s	0.042s

📊 Raw benchmark data (gatsby install-full-cold)

Base times: 2.672s, 2.475s, 2.513s, 2.546s, 2.466s, 2.466s, 2.433s, 2.429s, 2.400s, 2.480s, 2.413s, 2.458s, 2.492s, 2.432s, 2.435s, 2.399s, 2.488s, 2.484s, 2.493s, 2.490s, 2.423s, 2.412s, 2.438s, 2.409s, 2.457s, 2.505s, 2.451s, 2.417s, 2.476s, 2.446s

Head times: 2.479s, 2.459s, 2.429s, 2.430s, 2.453s, 2.485s, 2.456s, 2.514s, 2.404s, 2.439s, 2.499s, 2.504s, 2.563s, 2.511s, 2.479s, 2.521s, 2.418s, 2.399s, 2.479s, 2.438s, 2.455s, 2.467s, 2.519s, 2.409s, 2.421s, 2.380s, 2.459s, 2.441s, 2.468s, 2.466s

---

gatsby install-cache-and-lock (warm, with lockfile)

Metric	Base	Head	Difference
Mean	0.371s	0.365s	-1.47% ✅
Median	0.365s	0.364s	-0.44% ✅
Min	0.355s	0.359s
Max	0.478s	0.405s
Std Dev	0.022s	0.008s

📊 Raw benchmark data (gatsby install-cache-and-lock (warm, with lockfile))

Base times: 0.364s, 0.365s, 0.369s, 0.365s, 0.372s, 0.371s, 0.376s, 0.376s, 0.388s, 0.372s, 0.371s, 0.371s, 0.365s, 0.368s, 0.366s, 0.364s, 0.366s, 0.393s, 0.355s, 0.364s, 0.360s, 0.478s, 0.355s, 0.358s, 0.361s, 0.357s, 0.369s, 0.361s, 0.357s, 0.361s

Head times: 0.365s, 0.366s, 0.366s, 0.364s, 0.362s, 0.362s, 0.363s, 0.364s, 0.405s, 0.362s, 0.368s, 0.365s, 0.363s, 0.362s, 0.364s, 0.365s, 0.363s, 0.365s, 0.362s, 0.364s, 0.360s, 0.362s, 0.365s, 0.359s, 0.361s, 0.359s, 0.362s, 0.373s, 0.364s, 0.367s