How will this work with say typescript? It's pretty common to not commit the transpiled code - do you expect this to change, or would this check basically do a build + pack and then compare?
Yes it will have to do that. Some packages .npmignore the source files so those may not even be present.
But doing that is actually easier than having to deal with all the different ways of versioning packages. For example, I am not using git tags in my project, some others may be, some may be using a branch not named `master` to deploy from. They're going to have to intelligently traverse the git tree to draw meaningful conclusions.
I got a PR in my repository a few days ago leading back to a team trying to make it easier for packages to be reproducible from source https://github.com/microsoft/Secure-Supply-Chain