albertpeiro
commented
5 years ago I'd like to see this. I want to avoid automatic installation of event-stream@3.3.4 which presents security vulnerabilities. I want to do so in a way that's future proof for continuing to develop this piece of software, and automatized: I don't want to have to check all the dependency tree of every dependency I install in the future.
Do you want to request a feature or report a bug? Feature
What is the current behavior? Yarn pulls in all dependencies and their sub-dependencies and so on.
What is the expected behavior?
What I want to propose is a blacklist of sorts that can be configured like a dependency but when you install a package that depends on a blacklisted package, yarn reports an error and doesn't install the package.
Concrete case: I don't want coffeescript anywhere near my project (due to its obnoxious, non-optional behavior of replacing Error.prepareStackTrace globally.)
So I'd like to set in my package.json "blacklist": { "coffeescript": "^1.0.0", }
and now any call "yarn add" where something is a module that depends on coffeescript (in the specified version range) will fail.