I dislike the whole 'functional' package manager idea as it just punts the work onto people to add explicit deps when most of the dependency information is within the code itself. Prefixing with a hash is also not ideal in my view as there are about a dozen other ways to do the same thing without as harsh of consequences. An ideal package manager could prove that package y could be a valid substitute for package x, analyze source for deps which gets into the deep end of the pool (symbolic execution, static analysis, etc).