Do not mask workspace dependencies with a source attribute

[elliotkennedy]

Workspace dependencies with a source attribute are likely to be transitive and not sourced from the workspace.

Issue #, if available:

None raised.

Description of changes:

Similar to https://github.com/LukeMathWalker/cargo-chef/issues/224.

Given a workspace project:

.
├── project_a
│   └── Cargo.toml
├── project_b
│   └── Cargo.toml
├── Cargo.lock
├── Cargo.toml

project_a/Cargo.toml:

[package]
name = "project_a"
version = "2.2.2"

[dependencies]
either = { version = "=1.8.1" }

project_b/Cargo.toml:

[package]
name = "project_b"
version = "3.3.3"

[dependencies]
# none

The external project, either, depends on a crates.io-published version of project_b.

Therefore project_b is a transitive dependency of project_a, however the transitive project_b is different from the workspace version.

Currently crates.io:project_b is incorrectly masked to version 0.0.1 in Cargo.lock.

This PR identifies transitive dependencies by not masking dependencies with a source attribute. I think this is sensible and cannot think of a scenario where a workspace package would have a source attribute.

[[package]]
name = "either"
version = "1.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91"
dependencies = [
 "project_b 3.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
]

[[package]]
name = "project_a"
version = "0.0.1"
dependencies = [
 "either",
]

[[package]]
name = "project_b"
version = "0.0.1"

[[package]]
name = "project_b"
version = "3.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91"

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[LukeMathWalker]

Thank you!