Specify package version without package.json

[astral-arsonist]

Squirrel is currently being used as a way of allowing drop-in plugins to safely declare their own npm dependencies in NodeCG. As these plugins are drop-ins (meaning, the end user simply places them in a folder and they are expected to work), using NodeCG's package.json to manage pluginDependencies is not realistic.

As of right now, when squirrel pulls down a package from npm, it pulls the latest version. If an update is then released to that npm package, squirrel will not pull it down if it sees an already existing version in node_modules.

I would like the ability to specify a version range (i.e., ^0.1.0) or at least a specific version number when using squirrel at runtime. This would prevent me from having to manually delete outdated npm packages from my node_modules folder every time I wanted squirrel to pull down the latest version.

[astral-arsonist]

This does of course raise the issue of conflics. For example, if two NodeCG plugins (we call them 'bundles') both request an npm package but need two different versions of it...

Perhaps a solution would be to not store squirreled npm deps in the root node_modules folder? Maybe an option to specify the download destination path would help. This would necessitate that NodeCG bundle authors tweak how they reference paths in their require statements, but that seems like a fair compromise.