Programmably add an NPM package

Is there a way to tell Vaadin to include an NPM package without the @NpmPackage annotation? I would like to do this programmably.
I am confident that I did this before, but I cannot find the code where I did.

Use case: I am writing an addon that depends upon an NPM package. However, it is not related to a component. I also want to offer developers the ability to specify the version of the package.

You can add npm packages normally with npm i package-name

Yes, but I need to do this from within a Vaadin addon. So, in Java.

I know I did this before using Vaadin internal classes.

And I think within a VaadinServiceInitListener.

I’m not sure I understand the use case. How does the user select the version in that case?

Does it matter? I could get it from an environment variable, file, whatever.

Once I have it, I want to tell Vaadin to include it as a dependency before generating package.json.

Basically, do exactly what @NpmPackage does, but imperative.

I suppose you can look up usages of NpmPackage and see how it gets handled. But how do you enforce that the user installs a version of the npm package that is compatible with the addon version if the addon doesn’t specify it?

I believe this is the file that handles it flow/flow-server/src/main/java/com/vaadin/flow/server/frontend/TaskUpdatePackages.java at main · vaadin/flow · GitHub

As far as I know it’s not possible. Only thing that comes in mind to hack into it, would be to e.g. create a java class with byte buddy or some other black magic and hope that the scanner finds it

@quirky-zebra , in theory one can have Node installed in the server and use command line runner via Java. Then after that one needs to copy the file from node_modules to resources folder, so that it can be loaded dynamically. All this needs to happen when app starts before session is initialized, so that you can dynamically load the resource in bootstrap listeners. Why I am describing this in detail is to make clear that there are many ifs here you want typically avoid. Due software logistics chain safety reasons, you absolutely do not want to execute npm i in the production server, since that opens option for malicious code injection. So instead of doing anything like this in runtime, if such “dynamic loading” is more about providing different build variants, one should do this in build scripts instead.

I was hoping he meant in the build process where he wants to add a dependency / library without the annotation but later adds the annotation with byte buddy in thr compile phase so that flow would hopefully find it😬 I would never suggest to even think about executing nodejs / npm on a prod server