chore: delete MODULE.bazel.lock files: so broken and misleading

[chickenandpork]

I'm a bit concerned about the plan to go to JavaScript kitchen-sink lock files.

Seriously, what happened to checksums/signatures committed to our repos, so we have clear visibility that they didn't change?

Version-tracking the MODULE.bazel.lock fails: it seems we can delete dependencies but they stick around in the lock files, and are not removed such that a later build seems to pass with some direct dependencies no longer states in the MODULE.bazel file

We used to have two strong benefits form Bazel:

1. checksums/signatures committed to the codebase so we can ensure our supplyline is safe
2. we can delete things from a repo and the build will fail if it was needed.

I'd been chewing through issues of deleted direct dependencies that happily passed CI build. Coincidentally, they still had mention in MODULE.bazel.lock of the resources deleted from MODULE.bazel. How can that be a good thing?

So frustrated right now. the massive churn-baby-churn lock files seem only half-baked. I didn't like package.json lock files before, so I'm a bit biased by this copy-pasta innovation, but this seems really unsafe right now.

KILL IT WITH FIRE (for now)