To address versioning, I would like to add the needed extra disambiguating information by adding a property dependencyBranch to npm-packages mentions, and also a versionBranch property. A package name + version + a message id should then be sufficient to resolve packages - for future ssb-aware npm clients (and maybe hackable into non-ssb-aware clients with e.g. npm's session header).

Done, in %Se6Iixc... %6xFToq/... %KQ5W48V... %b1bXWzt...

Having the dependencyBranch property will make it possible to resolve package dependencies without having to replicate the authors' feeds, since if you have a npm-packages message id with dependencyBranch set, you can find all the dependencies by following the hash links.

The versionBranch property will help with detecting concurrent/conflicting publishes of a package name, which may be useful in the future.

dependencyBranch and versionBranch are implemented as properties of the message content (not of the mentions).

Next will be to integrate this with #ssb-npm-registry for installing, and make it work for bootstrapping.

I recommend updating ssb-npm / ssb-npm-registry to ensure that new messages have the useful dependencyBranch and versionBranch information. This may also help surface bugs.

I didn't implement adding dependencyBranch and versionBranch in ssb-npm-migrate. It would be good if this were done, but it would be too hard for me to do right now, and we can make do without it. I'd like to make a new migrate script anyway (to fetch packages & metadata from a registry server instead of from a package-lock.json file)