deploy lektor with hashed pinning
we're currently trusting pip with arbitrary code in the lektor build. @kushal made a nice procedure to avoid this.
https://gist.github.com/kushaldas/d8f566067e12d30185abe0f8442d72ef
i also learned that you can pass a --hash
parameter to the requirements spec to force that.