[RRFC] Module block list

[ruyadorno]

There was this idea being floated around during last NodeJS Interactive conference in which theoretically some population of npm users would like to see a way to manage a list that prevents specific packages to be installed in their project (probably package.json managed but it can also live as a sep file, etc).

Currently it seems that folks are already able to do it on yarn by hacking the usage of resolutions fields and providing empty tarballs for the modules they want to block.

Is this something we would like to support? If yes, is there someone willing to submit a proper RFC and champion it?

/cc @ChALkeR

[ChALkeR]

@ruyadorno Upon thinking about this further, just "blocking" a module could be not sufficient in some cases. E.g.:

1. for some packages, "blocking" would be just preventing it from being installed (chokidar -> fsevents),
2. and for some cases, it might need to be replaced with a dummy module that could be required, but returns e.g. an empty object -- e.g. if the module is required, but not actually used. Those situations are not interchangeable -- e.g. chokidar will get confused if require('fsevents') succeeds but returns an empty object.
3. some might need more complex replacements that could be done only via resolutions.

All of those could be done by the user via resolutions if/when those would be supported, but a more limited option that would support either just (1) or both of (1) and (2) should be easier to implement and more straightforward to use.

Wdyt?

[ruyadorno]

since the npm version of resolutions is coming to shape in #129 I think we should drop this idea in favor of that 😊

[ljharb]

As long as resolutions allows a false analogue, then that totally subsumes this one.

[ruyadorno]

also, this discussion is related: #112