he/him 
If you had to install an npm package by URL, instead of by registry name, would you mind? eg. $ npm install https://website.com/package.tgz $ yarn add https://website.com/package.tgz
Show this thread
Just to be specific. This is a capability that those npm clients offer TODAY. It circumvents the registry, but that's by design. You can even append a SHA1 hash to the URL to enforce integrity checks, actually safer than the registry because it's author-provided.
-
-
PROS: - Author provided integrity hashes - Distributed package distribution - No guardian of control CONS: - No semver ranges (would only work well for top-level dependencies) - Sketchy availability (increased reliance on multiple servers) - Hard to self-host
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Integrity is good; authenticity is better. That would be some sort of signing key on the release, like GPG. That is something that is sorely needed by most package managers, npm/yarn included.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Nice! I did not know that
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.