package.json `dependencies` changes are not handled adequately

[kriszyp]

If you deploy a component (and doesn't include node_modules), the package manager will install the dependencies. Deploying a newer component with newer dependencies will result in new dependencies being installed. However the experience of editing in place is not the same; updating a package.json file with new dependencies does not result in new dependencies being installed.

So we would like to:

• When a package manager is used to install packages for an application, the harper-application-lock.json should record a hash of the application's package.json's dependencies.
• On startup check if the package manager needs to be run. If the dependencies have been changed, we need to reinstall.
• The component loader should have implicit watching (like handleApplication/handleEntry) that watches package.json and triggers a requestRestart when a change is made to that file.

Some parts of this to note and track:

• Deploying a component with a new package.json shouldn't result in a second package management installation after the first. I believe following the first rule above should handle this properly.
• If you deploy a component with a node_modules folder, that means that we do not run any package manager. And this should be flagged in the harper-application-lock.json, as the hash should not be recorded, and future changes to the package.json should not trigger any reinstall with the package manager. (unless there is a future deploy_component without a node_modules that resets that state/flag).

[dawsontoth]

Yup, sounds good to me!