Provide a useful message for hash installs

[guybedford]

It should be possible to easily detect if a version target looks like a hash, and when not found, the GitHub endpoint here can show a warning that commit references are not supported.

[crisptrutski]

@guybedford we briefly discussed this before -

There's an issue that the registry is not called with the "version" until after lookup - so there's no opportunity for the registry to output the warning before the install fails.

One solution is to pass the version to the registry, and put getVersionMatch in a library. Another would be to have a hook to call on "version not found" rather than immediately returning undefined

[guybedford]

So in principle I don't think we should let use cases like this dictate the API. So tempted to say let's just add the minimal helper we can given what we have.

But the only thing I can think of for that is to just have this warning show for GitHub dependencies handled in both the npm or GitHub endpoints themselves before returning the package.json.

Worth the effort?

[crisptrutski]

How about in the lookup call in jspm-cl/package.js - we have the pkg.registry and pkg.version there. Only issue the warning if github registry hasn't been remapped to something that doesn't sound gitty - they're probably an advanced user anyway

[guybedford]

As mentioned, I don't want to polllute an API for the wrong reasons.