Let Dependabot respect commit hashes

[guerda]

Dependabot updates dependencies with their version tag, which is mutable.
In order to be more secure, it is recommended to use the commit's hash. Unfortunately, once Dependabot detects an update, it uses the version tag for the updated version instead of the commit's hash.

It would be great if commit hashes are updated with newer commit hashes by Dependabot.

Based on a discussion here with tips from @jkcso : https://twitter.com/derguerda/status/1557454206658912256