Always add the commit hash to the lock file

[j8r]

Now the commit hash isn't used when a version is specified.
If the maintainer of a library rebase or force-push a new commit, and then recreating a tag, we can end up with a untrustworthy/untested dependency without knowing it.
Having a commit hash along with the pinned version prevents this type of ninja changes.

[jhass]

#354 did implement this.

[jhass]

Actually taking a second look at the code I'm not 100% confident about this anymore, @waj would you mind to confirm?

[waj]

@jhass correct, the hash is only stored as version metadata when using git references (branch, tag, commit). I'd like to use a slightly different mechanism so we could still differentiate the intention of the lock, and thus provide better error messages.

[jhass]

But I guess with #354 in place, validating the stored commit still matches the stored git tag or version should be pretty easy to do, would be great if you could keep that in mind :)