Major I use the Nexus Repository for private NPM repository with allow-redeploy enabled. And the problem is that the system is not deleting dependencies in package.json at same module version number republished.
For example:
I have published package at version 0.0.2-SNAPSHOT
http://localhost:8081/nexus/content/repositories/npm-private/fooPackage/
I will get the metadata descriptor:
"versions": { "0.0.1": xxx, "0.0.2-SNAPSHOT": { "name": "fooPackage", }, "dependencies": { "dependencyA": "1.0.0", "dependencyB": "1.0.0" }, }
Then i will change dependencies for version 0.0.2-SNAPSHOT to this
"dependencies": { "dependencyA": "2.0.0" }
after npm publish I will get from http://localhost:8081/nexus/content/repositories/npm-private/fooPackage/
"versions": { "0.0.1": xxx, "0.0.2-SNAPSHOT": { "name": "fooPackage", }, "dependencies": { "dependencyA": "2.0.0", - incremented,OK "dependencyB": "1.0.0" - should be deleted,NOK }, }
I replicated this bug at latest docker images sonatype/nexus:oss and sonatype/nexus3.
I know that republishing in NPM is considered as an anti-pattern. But you are allowing this option in private repo and it is very usefull, because we using the snapshot versions in development cycle at it is a bit pain to change the version everytime if there is any update in snapshot.
I'm using this as a workaround now : https://support.sonatype.com/hc/en-us/articles/221433608-Deleting-a-specific-npm-package-version-in-Nexus-Repository-Manager-2-x
Thanks
