pub struct PackageDescriptor {
    pub name: String,
    pub version: String,
    #[serde(rename = "type")]
    pub package_type: PackageType,
}

The current PackageDescriptor struggles to describe dependencies that do not come from the repository specified by PackageType (e.g., dependencies specified by URL). The current solution for this seems to be to put the URL in the version field, but this seems like a bit of a stretch of the meaning of that field.

I'm opening this issue to start a discussion about how this could be improved in the future.

Javascript

npm allows specifying packages by URL in many different ways:

// URL directly to a tarball. No version specified
    "asd": "http://asdf.com/asdf.tar.gz",
// `git+ssh` URL with a commit-ish
    "cli": "git+ssh://git@github.com:npm/cli.git#v1.0.27",
// `git` protocol URL with a `semver` version range
    "example": "git://github.com:npm/example#semver:^5.0",
// GitHub reference with a commit-ish
    "module": "user/repo#feature\/branch"

I would hope that the git URLs are locked to a specific commit hash before they are put into the package-lock.json, but I haven't yet tested this.

For the direct tarball URL, I would hope that a hash is included in the package-lock.json file.

It's worth pointing out that the last one doesn't even include a URL, but it is just a short for of referencing a project on github.com