feat(unstable): single checksum per JSR package in the lockfile

[dsherret]

This changes the lockfile to not store JSR specifiers in the "remote" section. Instead a single JSR integrity is stored per package in the lockfile, which is a hash of the version's x.x.x_meta.json file, which contains hashes for every file in the package. The hashes in this file are then compared against when loading.

Additionally, when using { "vendor": true } in a deno.json, the files can be modified without causing lockfile errors—the checksum is only checked when copying into the vendor folder and not afterwards (eventually we should add this behaviour for non-jsr specifiers as well). As part of this change, the vendor folder creation is not always automatic in the LSP and running an explicit cache command is necessary. The code required to track checksums in the LSP would have been too complex for this PR, so that all goes through deno_graph now. The vendoring is still automatic when running from the CLI.

PRs that enabled this change:

• refactor: remove CachedUrlMetadata and only copy file from global to local cache in read_file_bytes deno_cache_dir#41
• feat: ability to provide a checksum for global cache deno_cache_dir#42
• feat: add setting to prevent copying from global to local cache deno_cache_dir#44
• feat: add jsr integrity to lockfile deno_lockfile#18
• feat: load JSR URLs using checksum found in package's manifest deno_graph#380

[mmastrac]

LGTM