We noticed this because we had multiple sinopias behind a load balancer where NPM would get the toplevel on one instance and request the tgz directly on another. Although your normal use case probably doesn't account for load balancers, I would think it's possible that someone clearing out their sinopia cache will experience clients requesting a tarball without first asking for the package json or otherwise attempt to manually download tarball links.
Ideally it should check if it has the package first and pull from upstream otherwise.
Can you confirm? Would you prefer us to PR fixes, do you want to address it, or would this be a won'tfix/won'tmerge?
We noticed this because we had multiple sinopias behind a load balancer where NPM would get the toplevel on one instance and request the tgz directly on another. Although your normal use case probably doesn't account for load balancers, I would think it's possible that someone clearing out their sinopia cache will experience clients requesting a tarball without first asking for the package json or otherwise attempt to manually download tarball links.
Ideally it should check if it has the package first and pull from upstream otherwise.
Can you confirm? Would you prefer us to PR fixes, do you want to address it, or would this be a won'tfix/won'tmerge?