Kyle Willmon

Seems like this is going to need more time and testing... I'll come back to this when I've got time.

> While we could use this for lockfile generation, I don't see us being able to use this for lockfile analysis. That's exactly the plan. The Go lockfile generator currently...

I've been doing some research on this... Go is complicated and the behavior has changed a lot... Even `go list` has issues because it does not respect module pruning. ##...

> Is CLI the right place for this? Since the CLI basically just prints what the API responds here, it seems like this might be better handled on the API...

> I think this is also true for the `phylum analyze` command, right? If so it should probably be changed everywhere. Yes, to an extent. For `phylum analyze` (and `phylum...

> I still think we should print that the package doesn't exist (assuming we can get that info), but it seems less troublesome than reporting the package as not having...

Re-opening after finding this... ``` > phylum package -t npm pyyaml 5.3.1 Package Name: pyyaml Package Version: 5.3.1 License: Last updated: 1970-01-01T00:00:00+00:00 Num Deps: 0 Num Vulns: 0 Ecosystem: npm...

> Are you working on it right now? Just a bit of investigation. As mentioned in [your previous comment](https://github.com/phylum-dev/cli/issues/351#issuecomment-1462457721), we expect a "Thank you for submitting" message for nonexistent packages....

You are correct. I just haven't thought of any better place to track it.

> This issue is still relevant because the public signing key used by openssl to verify the release artifacts is currently only hosted in the CLI GitHub repository...which is the...