One struggle that became obvious when trying to implement this approach at scale is that you are required to approve all the transitive dependencies down the chain too. NPM projects especially become unreasonable to maintain quickly. As an example one of my pretty basic Homebridge plugins has a total of 15 dependencies between
devDependencies - after deduplication the dependency tree has more than 800 items. That is not maintainable through Nexus content selectors.
A different approach, which does not prevent downloading, is to integrate checks into the code quality analysis performed by SonarQube. There are no rules built in to do this though, so a custom plugin was required.
I have created an initial implementation of a plugin which provides this functionality: sonar-alloweddependencies-plugin.
This exposes a number of new rules, detailed in the project readme, and is only concerned with dependencies which are referenced in the project directly. It performs no checks against transitive dependencies. This supports both Maven
pom.xml and NPM
package.json dependency descriptors, and supports providing different dependency lists for different scopes (e.g. test and main).
Once a rule is enabled and configured with an approved list of dependencies, this will create issues if a dependency is used that is not in the allowed list.
Releases of this are published to GitHub Packages only at this point, so are accessible from the GitHub project page. I have not yet went through the validation process to get setup for Maven Central. Note that there are published versions for both snapshots and main releases.
If you hit any issues, have suggested improvements, or even want to contribute then please raise an issue on the GitHub page. I still have some changes I want to make to this, but the latest non-snapshot release is usable.