Better documentation for non-repository package semantics

[conartist6]

According to the semver spec:
Once a versioned package has been released, the contents of that version MUST NOT be modified. Any modifications MUST be released as a new version.

EDIT:
Sorry I hit return before I was finished posting (and then got distracted). What I'm unsure of is that with a central repo there's mostly going to be a 1:1 mapping of versions to package tarballs. But when doing decentralized dev such as with git packages, many commits are likely to have the same semver. It isn't really clear how the package manager handles that. I've observed different behaviors in different clients and versions, but I want to test more fully. But regardless of that the point is that I have to test the implementation because the docs are not clear.

[ljharb]

[conartist6]

Sorry I hit enter part way though typing. I've edited the original post.

[MylesBorins]

@conartist6 I'm not entirely sure I follow what the ask is here. There is no guarantee that the tag from a repostiory is the exact same contents as a published package. For example, a TypeScript package that needs to transpile or a monorepo that multiple packages are managed in.

In the packument we do include the shasum from the git repository that is present when the release was created. In git there is only a single shasum that will be associated with a tag, even if "decentralized".

Can you expand on the concern and perhaps the specific documentation you are expecting to be expanded