On 17/08/21 1:43 am, Sean Whitton wrote: > I agree with this, and already do it for all or almost all of the > packages I maintain. There will probably need to be lots of exceptions, > however.
Many node modules don't tag their releases so its really hard to get exact source code corresponding to an npmjs.com release. We have to search for hints in commit messages to find the correct commit and then take the snapshot of that commit. Also with mono repos becoming more popular (many modules are developed in the same git repo with each module having a different version but there is no way to get tarballs of individual modules), now we not only need to download tarballs corresponding to tags and then exclude all the other modules we don't need from the monorepo tarball.
signature.asc
Description: OpenPGP digital signature
