In general we want to check a bunch of things in package.json files:
For example, confirm that there are no "devDependencies", and that the "build" script is always "liferay-npm-scripts build" etc.
But there are some cases where we want to suppress some aspect of this, but not all of it, and at the moment the only way to do this is to suppress all the checks for the entire file — for example:
Here is an example PR where we needed to break the rules:
This is a module where we need to declare devDependencies and provide the to other modules. This is a legitimate use case for adding devDependencies (infrastructure modules that make their contents available to other consumers); it's unlike the typical case where we want to stop devDependencies being added willy-nilly.
So the purpose of this ticket is to see whether we can find a way to make the suppressions finer-grained. Somewhere on the scale from "check everything in the package.json" to "check nothing in the package.json", there are intermediate steps, such as "check scripts properties but not devDependencies", or "do check devDependencies, but allow whitelisted ones" etc. I don't know what balance of fine-grainedness and simplicity is optimal.
Failing that, a last resort would be for us to "hide" the dependencies inside liferay-npm-scripts, but that's not something we're sure we'd want to do, because it obfuscates where the dependency is really coming from.