[FEATURE] Update revision-pins for external dependencies

[petemounce]

Is your feature request related to a problem? Please describe.

Currently, one can pin to a #revision in apm.yml .dependencies.apm[].

If one does this, apm outdated ¹ no longer offers updates for those revision-pinned dependencies. This causes toil when updating, raising the risk of more seldom updates and consequently raising the risk of there being a wider gap if an update must be integrated to patch a vulnerability, say - just like other dependency management.

Elaborating on how come revision-pinning is preferable - https://github.com/ossf/scorecard/blob/c395761df6afe1a69e476bc60a013a94bcbc153f/docs/checks.md#pinned-dependencies - but, broadly; pins do not drift (leading to surprise build failures if upstream releases), and revision-pins are not mutable like tags are (same, plus supply-chain risk were upstream's secrets compromised).

Describe the solution you'd like
I'd like apm update to have a mode whereby it will interrogate the upstreams and offer the revision for the latest release, where a package has been revision-pinned.

It would be extra nice to mirror the dependabot feature that its github-actions ecosystem has, where it will update the revision-pin and then update a post-fix line-comment with the release tag that revision represents.

Describe alternatives you've considered
None

Additional context

• https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions "Pin actions to a full-length commit SHA"
• https://docs.cloud.google.com/software-supply-chain-security/docs/dependencies#pin

Footnotes

1. apm outdated with revision-pinned dependencies

   dependencies:
     apm:
       - Dicklesworthstone/beads_rust/.claude/skills/br#5cad749f1ed13a75e76bc95b776e47443b16c9bb
       - JuliusBrussee/caveman#ef6050c5e1848b6880ff47c32ade1a608a64f85e
       - microsoft/apm/packages/apm-guide#2b1fb6bfd42da6d7bcd14efdb0d87c5de7acc878
   

   (.venv)$ apm outdated
                                                               Dependency Status
   ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓
   ┃ Package                                        ┃ Current                                  ┃ Latest     ┃ Status       ┃ Source         ┃
   ┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩
   │ Dicklesworthstone/beads_rust/.claude/skills/br │ 5cad749f1ed13a75e76bc95b776e47443b16c9bb │ -          │ unknown      │ git branch     │
   │ JuliusBrussee/caveman                          │ ef6050c5e1848b6880ff47c32ade1a608a64f85e │ -          │ unknown      │ git branch     │
   │ microsoft/apm/packages/apm-guide               │ 2b1fb6bfd42da6d7bcd14efdb0d87c5de7acc878 │ -          │ unknown      │ git branch     │
   │ trailofbits/skills/plugins/modern-python       │ e8cc5baf9329ccb491bfa200e82eacbac83b1ead │ -          │ unknown      │ git branch     │
   └────────────────────────────────────────────────┴──────────────────────────────────────────┴────────────┴──────────────┴────────────────┘
   [i] Some dependencies could not be checked (branch/commit refs)
   

   : note - modern-python is a transitive dependency and as such probably should be displayed separately? ↩