Introduce a lock file

[dunglas]

It could be nice to introduce a lock file, similar to composer.lock, allowing rebuilding PHP with the exact same version of the dependencies.

This would prevent issues such as #577

[crazywhalecc]

After a week of long experiments, I think this needs to be carefully considered because it may destroy the existing build process.

1. Dependencies are defined by lib.json and ext.json, and the lockfile you mentioned should be used to lock dependencies for the current build combination and parameters. But this does not make sense for the same spc version.
2. If we are locking file of dependencies, the existing .lock.json files for download already implement this feature.
3. Locking files based on dependency versions requires a lot of work, such as hashing dependency files (including folder types), parsing the version of each dependency library, and so on.

If we just want to achieve a similar effect to composer.lock (to ensure that all current library versions are consistent), we may need to rewrite the logic of the Downloader part. This is because the content downloaded from the same link may change when many dependencies are downloaded, such as when getting the latest version of the extension from pecl.