Dealing with unpublished packages

[splix]

We have 2 independent projects one depend on another. Say ProjectApp which uses ProjetLib. During the development we publish each commit to the ProjectLib as a tarbal accessible by an URL. And we want to use that development/snapshot version in ProjectApp. Which works fine by itself, we are able to reference it by URL.

But the problem that js-green-license doesn't work in that situation because it tries to download package.json of ProjectLib from NPM, which doesn't exist:

VersionNotFoundError: Version `^0.9.0-dev` for package `@emeraldpay/emerald-vault-core` could not be found

I see a couple of ways how js-green-license can deal with it, and I can submit a PR with one of the solution, but I'd like to hear js-green-license authors opinion on this.

I think that the most straightforward solution would be using packageAllowlist and ignoring unpublished dependencies which are in this list. I mean just skip VersionNotFoundError for such packages, but check them if they exist. Is that ok?

[splix]

@bcoe do you think the approach I suggested with packageAllowlist is acceptable? I'm willing to make a PR to fix this but want to make sure it aligns with the project direction, and I guess you're the maintainer of the project now. What do you think?

[bcoe]

Hello @splix, apologies for the slow reply.

This library is not currently used by our team, and my contributions have been isolated to dependency updates in the past.

Your recommendation for handling unpublished packages seems reasonable, but I'm not sure how timely the review will be on this repository. It may be worth considering forking the project, along with sending us a patch.