Installs incorrect version of dependency, even when pinned via "cpanfile".

[bleargh45]

When listing dependencies via a cpanfile, it is possible for cpm to install multiple versions of the dependencies, when some of them are pinned at a specific version (but not all).

Example cpanfile:

requires "Template", "== 2.29";
requires "Template::Stash";

When resolving distributions to install, cpm matches Template up to the correctly pinned version, but then also resolves Template::Stash to the most recent release of the distribution. The two dependencies are then installed separately, and which version you end up with in the end is inconsistent. Sometimes it installs the pinned version first, then overwrites it with the newer module, other times it installs the newer one first and then overwrites with the pinned version.

While I am aware that using a cpanfile.snapshot would help address this (as it would allow me to force the resolver to only ever see the pinned version), the above behaviour still feels inconsistent.

It is also possible to trigger this behaviour when installing an entire dependency chain, where we may have a distribution pinned in cpanfile, but then modules inside of that distribution are later discovered as indirect dependencies (where we may not depend on it directly, but something which we depend on does).

[choeger]

This issue still persists.