Vendoring a dependency in a published dependency

[alexandercerutti]

We have an internal package (@int/a-wrap) that has an NPM dependency that we must clone in order to apply some patches and build it before shipping our dependency.

Let's call it a (scoped: @vnd/a).

In order to do so, we have a shell script that we run when we have to compile a and publish @int/a-wrap and, once patches have been applied, it runs

$ pnpm add ./vendor/a

a/ includes the minimum files required to be a package, so package.json  and a dist/ with the compiled files.

So, in the package.json I then can see "@vnd/a": "link:vendor/a" as a dependency and I can see it in the node_modules in @int/a-wrap folder as @vnd/a.

Then we publish the main package by including the vendor folder in the tarball.

From an application, we then run pnpm install @int/a-wrap.

Installation report the following warn:

 WARN  Installing a dependency from a non-existent directory: /Volumes/Workspace/app/vendor/a

So, pnpm in the application is looking for the vendorized dependency in the application and not in the package how it should (to me, at least).

I'm not sure this is a bug or an expected situation, but I preferred asking here before opening a report. I didn't find anything similar among the issues and the discussions.

Does anyone know how can we make it to find a vendorized dependency from the package itself?

I'm using everywhere [email protected] (I upgraded to test this, I was on 9.1.3, where we had the same problem).

We tried as well with

$ pnpm add file:vendor/a

And it worked until the main app repo had npm (while @int/a-wrap had pnpm), but we are migrating to pnpm in the app as well, so this problem happend.

Thank you.