I have a Vue.js project with only 24 direct dependencies in the package.json. That results in 1230 total dependencies in the package-lock.json.
One of the transitive dependencies has a license that is not allowed in my organization. I did some research on Google on how to exclude transitive dependencies in NPM, but I couldn't find anything useful.
In Maven (Java world) there is an optional exclusions list for each direct dependency. Is there something similar for NPM? How can I permanently remove a transitive dependency from my project?
webpack-chain(MPL-2.0) is a transitive dependency of@vue/cli-service. I figured out that this module is not part of the deliverable, not distributed to customers, that's why it's ok after all. But anyway, in future I might have a transitive dependency with GPL license which I will need to exclude. Not all dependencies are always mandatory. The developer should at least have the option to exclude dependencies, just like in the Java world with Maven. Really don't know why NPM is so limiting.postinstallscript that obliterates or replaces any bad packages from yournode_modulestree."overrides": { "yourlib": "../_EXCLUDED_" }does the trick if the transitive lib is actually unused, but there may still be unused imports of it that have to be disabled too.