For example, commands which extract a tarball should be cached (i.e
should use `runCommand` not `runCommandLocal`) because it allows builds
to download the unpacked result instead of having to write both to the
store
* Seems like cargo-audit only needs a `Cargo.lock` file and an advisory
database to run, so we can filter the inputs down even further to
avoid rebuilds and file copying into the Nix sandbox
