Retrieve authoritative vendor JSONs from URL

[JaciBrunning]

Currently, it's required that vendors submit a PR to this repository every time they update their library with a copy of their vendordeps file. In many cases, this vendordep file is already hosted somewhere else (defined in the "jsonUrl" property). Having to update this repo adds friction to the automated CI/CD process that some vendors use in publishing their builds, and also introduces a source of data duplication.

Given vendordeps can be hosted pretty much anywhere on the internet (including as a raw github artifact), I don't see why we need to duplicate this data here. If a "bundled" copy is required for downstream tooling that uses this, can we invoke that as a build process as opposed to committing vendordeps in-tree?

[ThadHouse]

I’m actually tempted to go the other way. Remove the jsonUrl and force this repo to be the authoritative source.

This way there’s a set known place where all supported vendor deps are, and it’s easy to know when updates are actually released.

[jasondaming]

Many vendors also do not keep previous versions of their json files instead choosing to only link a "latest". While this is fine in many cases it removes the ability for the user to return to a previous version.

[sciencewhiz]

There's also #60 for CI integration.