Pin external deps to ensure explicit updates to lage bundle

[ecraig12345]

Lage bundles its dependencies, so if we use the standard approach of ^ versions for external dependencies, this can allow implicit updates (via the lock file) which won't immediately trigger a new release, and won't be noted in the release notes when a new version does include them. This means that if a dep introduces a bug, and it's only discovered in another repo, it's extremely hard to track down how it was introduced.

Probably the safest workaround is to pin all external dependencies that updates are explicit and included in the release notes. (Exception is glob-hasher, which is a runtime dep since it ships binaries.)

This has minor downsides for cloudpack packages which depend on lage packages (potential for duplicate deps), but the benefit for core lage scenarios is worth it.

[netlify]

✅ Deploy Preview for peppy-praline-1c3272 ready!

Name	Link
🔨 Latest commit	e17bec1
🔍 Latest deploy log	https://app.netlify.com/sites/peppy-praline-1c3272/deploys/658408a5fa8cf10008efa39a
😎 Deploy Preview	https://deploy-preview-712--peppy-praline-1c3272.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.