Pin `flow.json` dependencies to block heights for historical contract availability

[jribbink]

Problem

Currently, flow.json dependencies are always effectively pinned to the most recent version, enforced by a hash check/on-chain query.

However, when local dependencies drift from those on-chain, there is currently no way for the dependency manager to query these historical versions, so we must return an error if they choose not to update their outdated dependencies.

Suggested Solution

Introduce a JSON schema similar to the following:

"dependencies": {
    "source": "",
    "aliases": {},
    "block_height": "1234",
    "hash": "4567"
}

Where instead of returning errors in cases where the user has a valid, but outdated, dependency and chooses not to update (i.e. https://github.com/onflow/flow-cli/blob/master/internal/dependencymanager/dependencyinstaller.go#L687), we should rather install the dependency from the included block height pin (if it exists).

For legacy projects, the first install after updating the CLI should pin the dependendency to the latest block height. We should also validate that we don't have backward-compatibility issues with older CLI versions, or if these exist identify where these are/what mitigation strategies can leverage.

Drawbacks

By no longer forcing developers to update dependencies to the latest version, we risk developers letting their local dependencies drift from real, on-chain runtime dependencies too far. Before making this change we should validate that we have considered all the potential risks in this area.

[jribbink]

One thought: maybe we should pin project wide instead? Thinking about it more, pinning this atomically prevents states where we have two dependencies/states that may have never coexisted together