Consider a hypothetical npm package 'bezor' version 1.0.0 (with no namespace), which lives in an npm hosted repo in Nexus. Various client npm projects use this package, and the dependency version is "~1.0.0" which signifies that the latest minor point release is acceptable.
The hosted repo is the first member of a group, which also contains a proxy for npmjs.org. One day, 'bezor' 1.0.5 shows up on npmjs.org, no relation to the hosted package. Suddenly, builds start failing as the unrelated package is pulled down.
This is an inevitable consequence of a lack of namespacing with tilde-style dependency versioning, and it's also a blocker for a client adopting NX3 from a home-rolled npm repo.
- Administrators can set a system property that prevents npm groups from merging package metadata on a request-by-request basis.
- This only applies to the default namespace. Namespaced components continue to have their metadata merged, regardless of the system property's value.
If this property is set for the example, above, when a client requests metadata for package 'bezor' the client will only be shown metadata from the hosted repo. This contains 'bezor' 1.0.0 and nothing else.
This change won't affect the 'all' endpoint. Clients who request 'all' will still be able to see the multi-member merged metadata for a given package. We believe the exposure to this is minimal since the client doesn't use this to resolve dependencies.