I think the better approach is carefully-controlled
bundling in Fedora. As of a couple years ago, it is now
permissible to bundle software together in Fedora if it
meets certain conditions:
1) If the dependency is already packaged in Fedora and
this software is compatible with that version, then this
software must link against the unbundled version.
2) If the dependency is not yet packaged in Fedora but is
likely to be useful to large amounts of Fedora software, it
is strongly encouraged that it be packaged separately.
3) Other dependencies MAY be carried internally by the
package that needs them, but that package MUST include
`Provides: bundled(npm(modulename)) = version`
Rule 3) is so that if there is a security vulnerability
in npm(modulename), we can find any and all software that is
required to be updated.
I haven't had any time to work on it, but I'd very much
like to develop an automatic RPM dependency generator that
will recurse down the node_modules directories, read their
package.json files and automatically create those Provides.
If anyone else wants to take a crack at doing that, it would
be an immense help.