Implement Efficient Lockfile for Better Version Control and Faster Startup

[tmc]

vim-plug would benefit from a lockfile system for the following reasons:

1. Reproducible environments across machines
2. Prevention of unexpected plugin updates
3. Easier rollbacks to known-good states

The current snapshot feature, while useful, has limitations:

• Slow startup times due to executing multiple git commands on each Vim launch
• Doesn't prevent automatic updates during normal plugin operations

A lockfile approach would:

• Store plugin commit hashes in a simple, fast-to-read format
• Be checked during updates to determine if changes are needed
• Only update plugins when explicitly requested or when the lockfile changes
• Significantly reduce startup overhead compared to the current snapshot system

This feature would enhance vim-plug's utility for users prioritizing stability, reproducibility, and performance in their Vim/Neovim setups.

• Type:
  • [ ] Bug
  • [ ] Enhancement
  • [x] Feature Request
  • [ ] Question
• OS:
  • [x] All/Other
• Vim:
  • [x] Terminal Vim
  • [x] GVim
  • [x] Neovim

[tmc]

note: I know https://github.com/junegunn/vim-plug/issues/954 was opened previously, this is effectively restarting that convo. The threat of a supply chain attack on vim plugins isn't impossible and I think we can make this project more secure pretty easily.

It would also be quite helpful to register programs to call on plugin updates when they do occur, so users can have an opportunity to perform additional security validation of new code arriving.