`no-unpublished-*` doesn't hit if module isn't in `devDependencies` - Githubissues

mysticatea / eslint-plugin-node

Additional ESLint's rules for Node.js

MIT License

959 stars 170 forks source link

`no-unpublished-*` doesn't hit if module isn't in `devDependencies` #287

Open manuth opened 3 years ago

manuth commented 3 years ago

Hello I noticed that no-unpublished-require and no-unpublished-import doesn't hit if the module isn't present in devDependencies.

As the dependency tree is being flattened during npm install, nested dependencies can end up in ./node_modules where they can be required even though they're not in package.jsons devDependencies.

In this case - as seen on line 57 - the dependency is considered public. https://github.com/mysticatea/eslint-plugin-node/blob/62212ac8ba4d375ba8a61558211f87cc0f5fb976/lib/util/check-publish.js#L55-L59

Thanks for your awesome job ✨

manuth commented 3 years ago

Looks like eslint-plugin-import/no-extraneous-dependencies in combination with these rules suits my needs.

Leaving this open in case you want to make some changes anyways