What about undeclared dynamic dependencies?

[alexeagle]

npm has the semantics that all programs see the entire node_modules tree. This allows libraries to have the dubious behavior "I don't declare any kind of dependency on foolib in my package.json, but if you just install foolib into your project, I'll have different behavior". That's because a program can just try { require('foolib') } and have conditional behavior based on whether it was found.

It seems to me that any formulation of individual npm packages under bazel, where a package's dependencies are expected to be declared statically, is going to have the flaw that some program behavior no longer works because the dynamic lookup of foolib fails when it's not in the declared action inputs.

Have you thought about this at all?