Hello
I noticed that no-unpublished-require and no-unpublished-import doesn't hit if the module isn't present in devDependencies.
As the dependency tree is being flattened during npm install, nested dependencies can end up in ./node_modules where they can be required even though they're not in package.jsons devDependencies.
Hello I noticed that
no-unpublished-require
andno-unpublished-import
doesn't hit if the module isn't present indevDependencies
.As the dependency tree is being flattened during
npm install
, nested dependencies can end up in./node_modules
where they can berequire
d even though they're not inpackage.json
sdevDependencies
.In this case - as seen on line 57 - the dependency is considered public. https://github.com/mysticatea/eslint-plugin-node/blob/62212ac8ba4d375ba8a61558211f87cc0f5fb976/lib/util/check-publish.js#L55-L59
Thanks for your awesome job ✨