Disable requiring sub-dependencies

[klaasman]

It's possible to import every package inside the node_modules directory. This may lead to bugs when for example in the future a package removes a dependency which was accidentally imported by the app itself without explicitly installing it.

[EECOLOR]

I like the idea, it should be pretty easy to imlement as a separate plugin, something like this:

  webCompiler.hooks.normalModuleFactory.tap(p, normalModuleFactory => {
    const importedPackages = { ...getFromPackage(), ...getFromBuildTool() }  
    normalModuleFactory.hooks.afterResolve.tap(p, data => {
      if (isLibraryRequest(data) && !importedPackages[data.rawRequest])
        throw new Error('...')

      return data
    })
  })

[EECOLOR]

This is actually more tricky than it sounds for stuff where we import a specific file. It's for example ok to import @kaliber/build/lib/hot-module-replacement-client when we have @kaliber/build in our package.json.

https://github.com/webpack/enhanced-resolve/tree/v4.0.0 is a tricky library. We could do some manual string splitting, but there might be a chance that the library already provides some information.

[EECOLOR]

It still allows us to import dependencies that are specifically for the server (like express).

[EECOLOR]

Oh and this is blocked by #113

[EECOLOR]

It would also cause problems with the @kaliber/build. We don't want people to add react as a dependency because @kaliber/build provides it. So in some case we do want to allow sub dependencies.

The same goes for the webpack-sources library, we never want another version than the one that comes with webpack.

The complexity that is introduced when adding these edge cases is not worth the benefit. On top of that, we don't have enough examples where this caused a problem.