[feduzi]

I don't get why not just use git repo registry (e.g. github) for package management. If you work in a "strict" environment you can basically fork all your dependencies and use your own git repo registry.

NPM already allows using git repos, but needs some tweaks to allow better support:

* allow versioning via git tags

* store git commit in `package-lock.json`.

* maybe something else...

[scottmf]

What would you gain by storing the commit in the lock file?

You can reference commits in package.json already.

[feduzi]

For the purpose of reproducible `node_modules` tree.

Ideally if all packages would use commits, and the installation algorithm will never change, then there will be no need for lock files.

In reality some packages will use NPM existing mechanism, so "git-based algorithm" will need to accommodate for that by reading git repo of the NPM package and referring to a specific commit, which should be store in `package-lock.json`.