Make project.json versionlock consistent with what would be used in production

With the addition of the project.json file, we have the opportunity to consolidate the versionlocks between what we use in production and what we publish.

There are a few packages in the versionlock in production that are not part of our existing versionlock. From a CI perspective, this won't change much (since we are using an EOS image instead of its RPMs), but the produced versionlock is also used in cta-release by sites to ensure that they have a consistent set of packages. For this reason, it is important that we provide a thorough versionlock list.