Resolve difference between http and https in forc dependency URL declarations #931
Description
As spotted in FuelLabs/fuels-rs#150, currently forc will consider the same package declared with both http and https at different branches in the package graph as distinct dependencies. This means that even if they ultimately fetch the same git reference and pin to the same commit, forc will track and build them separately in the dependency graph. This doesn't appear to cause any bugs just yet, though results in extra bloat and may potentially cause issues with traits in the future.
It looks like cargo solves this by resolving both to the same URL, preferring the higher-level package's URL in the case that one uses http and the other https. That is, if A depends on B and both A and B depends on C, A's declaration of C is used. This is the case even if A's dependency on C is the weaker security preference. E.g. if A specifies the dependency on C with a http URL and B specifies the dependency on C with a https URL, B's request for C to be fetched over TLS is ignored.
I propose that we take a similar approach to cargo, but rather than selecting the URL based on the higher-level package, we instead select the stronger security approach. That is, if one package specifies http and another specifies https, we always prefer https.