I use the Nexus Repository for private NPM repository with allow-redeploy enabled. And the problem is that the system is not deleting dependencies in package.json at same module version number republished.
I have published package at version 0.0.2-SNAPSHOT
I will get the metadata descriptor:
Then i will change dependencies for version 0.0.2-SNAPSHOT to this
after npm publish I will get from http://localhost:8081/nexus/content/repositories/npm-private/fooPackage/
I replicated this bug at latest docker images sonatype/nexus:oss and sonatype/nexus3.
I know that republishing in NPM is considered as an anti-pattern. But you are allowing this option in private repo and it is very usefull, because we using the snapshot versions in development cycle at it is a bit pain to change the version everytime if there is any update in snapshot.
I'm using this as a workaround now : https://support.sonatype.com/hc/en-us/articles/221433608-Deleting-a-specific-npm-package-version-in-Nexus-Repository-Manager-2-x