Hashes for packages from registries with parameters in the URL may not be recorded

[Shnatsel]

Cargo.lock does not URL-encode URL parameters in source field correctly right now. A v4 Cargo.lock format is expected to ship sometime soon, fixing that.

We are cross-referencing this field with cargo metadata, which starting with Rust 1.77 outputs cargo pkgid as its package ID representation (at least according to the docs).

We'll need to investigate how cargo pkgid/cargo metadata handle URL-encoding of source parameters and make sure it agrees with the Cargo.lock representation, or work around the discrepancy if it doesn't.