`whippet deps install` should check that it's pulling from the correct repo

[mallorydxw]

At the moment, whippet deps install can fail if the source in whippet.lock is changed.

Example:

1. Run whippet deps install to install plugin/foobar from git@a:wordpress-plugins/foobar
2. Pull the repo, to a revision where whippet.lock contains a git URL like this: git@b:wordpress-plugins/foobar
3. Run whippet deps install and it will attempt to pull from the existing repo (git@a) when it should be pulling from the new repo (git@b)

[snim2]

I'm not sure that this is really a bug, if the JSON and the lockfile are out of sync, we probably shouldn't install without updating first?