The nixpkgs-unstable channel's programs.sqlite was used to identify
packages producing exactly one binary, and these automatically added
to their package definitions wherever possible.
Nix counts any occurrence of a store path's *hash* as a reference, even
without a store directory prefix. The current version only kills
references of the form `/nix/store/<hash>-`, which can fail e.g. for
compressed files.
This was causing some regions to escape the fixupHook. As a concrete
example, pkgconf's signature on aarch64-darwin was not valid because
the library was not fixed up.
This allows for a less blanket approach than nuke-refs, targetting specific
references that we know we don't want rather than all references that we don't
know we want.