Note: This RFC is an alternative or augmentation of Drop-in replacement packages. Both are being discussed in tandem.
Please support --production or --only=production in npm audit
A big question is whether the changelog for a version should be immutable like the contents otherwise are. It’s pretty common to add, expand or fix changelogs for a release after being published to npm.
For the purposes of that RFC, we’re reading it from the tarball so it would be necessarily immutable. Long term, we would like the README to be updatable separately from publishes, and I see no reason that changelogs couldn’t be included as well at that time.
This RFC has been ratified! Just pending implementation now