pin dependencies?

[meejah]

Since this is "a program" (only) now (after splitting from the magic-wormhole repository), we could follow the recommendations to more exactly pin the requirements, with hashes. (When a project can be used as a library, pinning requirements exactly is tough for downstream).

At least one consumer of this apparently wants something like this, although the exact ask doesn't have a corresponding ticket explaining the requirements: https://github.com/LeastAuthority/magic-wormhole-docker/pull/30

Note that downstream consumer isn't actually checking hashes, it seems (so exact reproducibility must not be the use-case). I believe it's just so that exact versions of dependencies are known.