
Screw npm – it's time for change - springmissile
https://github.com/liberty-org/cli
======
nikolay
There's already a good solution, it's called git-vendor [0]!

[0]: [https://brettlangdon.github.io/git-
vendor/](https://brettlangdon.github.io/git-vendor/)

------
JdeBP
Duplicates
[https://news.ycombinator.com/item?id=11364190](https://news.ycombinator.com/item?id=11364190)
, badly.

------
mattkrea
> no single point of failure

I have no solution to this but replacing npmjs.org with github.com might not
be the answer. Wonder how a torrent-based package manager might work..

~~~
krapp
I'm assuming that the _github:_ key implies the possibility of non-github
repositories being allowed. PHP's Composer does the same thing in a slightly
more verbose way to support arbitrary repos and multiple VCS types. Packagist
is less a centralized repository as a suggested but not necessary first
choice, which in my opinion is how it should be.

It also uses a JSON file to define project dependencies. Probably not the
worst model to copy.

