There are only 2 problems I see with the existing solution in npm.
- "npm add package" puts in a "^ver", which is bad practice
- there is no good infrastructure to pull hash based blobs out of the ether in case npmjs is offline
npm-shrinkwrap has solved repeatability forever, people just didn't always use it. Auto-upgrading dependancies is the big problem, which should have never existed because it is not principled. I'd go further and say that dependancies and devDependances should only support exact versions, and peerDepenancies are the only thing that supports non-exact versions.
- "npm add package" puts in a "^ver", which is bad practice
- there is no good infrastructure to pull hash based blobs out of the ether in case npmjs is offline
npm-shrinkwrap has solved repeatability forever, people just didn't always use it. Auto-upgrading dependancies is the big problem, which should have never existed because it is not principled. I'd go further and say that dependancies and devDependances should only support exact versions, and peerDepenancies are the only thing that supports non-exact versions.