Highlighting dependencies downloaded from outside of NPM

[dangowans]

This is not intended to be self promotion. It's just an example of the issue I'm seeing that happens to include one of my packages.

I published a data parser package on NPM. The package has one dependency, xlsx. The xlsx package on NPM is not current, so I'm downloading the dependency from outside of NPM using a URL in my package.json file.

"dependencies": {
    "xlsx": "https://github.com/cityssm/node-avanti-time-data-parser/raw/main/lib/xlsx-0.20.2.tgz"
}

When I look at the dependency tab on the NPM website and click on the xlsx dependency, I go to the xlsx page on the NPM website, however, I'm not using any version of xlsx offered by NPM. It's a package outside of NPM that happens to have the same name as a package on NPM.

I feel like in this case, it would be possible to create a package that supposedly uses a popular dependency, but instead, downloads a package from another source, labelled as that dependency.

There's no warning about the use of an external package on the website or when installing it through the CLI. I think there should be some sort of notification in the CLI to agree to downloading a package from outside NPM. I think also that the dependencies tab on the NPM website should not link to the page of a package that coincidentally has the same name when the package is coming from outside NPM, but instead show the URL of where the dependency is actually coming from.

[CiceroLino]

Brilliant, I never seem nothing like this. Sorry, I know it wasnt you intention. But I have learn some new today.

But page of a package should'nt show the docs about the package? To me, this is right path