I seem to have hit an impasse w.r.t. adding dependency shasum verification to shrinkwrap (npm-seal has this problem as well.) The shasum of package tarballs seems to change over time, indicating that the npm registry, or the original source of the tarballs may be appending a timestamp. I want to check if that is indeed the case before proceeding.