What’s the feature?
When a new package is being published on the NPM registry no one can say that the code is the same of that published on Github (or on to another public repo).
So, I’ve created a Proof of Concept, called SNPM, that instead of allowing the user to push the code directly on NPM, they need to push it on a public repo (like Github) and then ask NPM to fetch it.
This procedure is validated using checksums of what being uploaded.
What problem is the feature intended to solve?
Consistency between NPM packages and their source code published on public repos, like Github.
Is the absence of this feature blocking you or your team? If so, how?
No but it will increase a better security and help preventing this kind of situations: (on Github) eslint/eslint-scope/issues/39 and (on Twitter) npmjs/status/1017517577038450693
Is this feature similar to an existing feature in another tool?
(on Github) npm/npm/issues/19539
Is this a feature you’re prepared to implement, with support from the npm CLI team?
Yes, it’d be nice.
I hereby add another proposal: npm verify
A command to verify the package checksums.
It does exactly what NPM should do in a SNPM context (as defined in this article): download the sources from Github, build them, calculate the checksum and verify it.
So, even the final user can verify the package effortlessly, by typing:
$ npm verify
$ npm verify <package_name>
How does it sound?