Open RFC Meeting (npm)

#### Meeting from: February 3rd, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Ruy Adorno (@ruyadorno) - Wes Todd (@wesleytodd) - Myles Borins (@MylesBorins) - Jordan Harband (@ljharb) - ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. Code of Conduct Acknowledgement 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **Feedback from npm v7 going to `latest`** 1. **Issue**: [#301 [RRFC] Workspaces: support to version specifiers other than semver ranges](https://github.com/npm/rfcs/issues/301) - @ruyadorno 1. **PR**: [#117 RFC: npm workspaces - Working with workspaces](https://github.com/npm/rfcs/pull/117) - @ruyadorno ### Notes * 1. **Feedback from npm v7 going to `latest`** * @ljharb has experienced some issues * currently investigating an issue between v6 & v7 * build/tests are failinig (https://github.com/ljharb/eslint-plugin-import/runs/1817778513?check_suite_focus=true) * `eslint-plugin-import`: https://github.com/benmosher/eslint-plugin-import/issues/1986 * anecdotally, believe it's the installation in the root of the package * @wesleytodd could be a bug in the webpack resolver * 2. **Announcements** * @ruyadorno `npm diff` launched (ref. https://dev.to/ruyadorno/npm-diff-23dh) * @wesleytodd Adam Baldwin has been posting about security vulnerabilities in the ecosystem (ref. https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/) * @wesleytodd bug/issue ran prepare scripts with legacy/old `git` dep (deep transitive - `wdio`) - seems to be in `arborist.buildIdealTree` seems to run prepare script which could run in the cache * 3. **Workspaces** * Notes from last RFC call: https://github.com/npm/rfcs/blob/latest/meetings/2021-01-27.md#notes * @wesleytodd working with the Google folks that wrote `release-please` might be good * specifically, they are trying to run commands inside workspace projects programmatically (ie. utilizing `arborist` to get a list of workspaces/`package.json`s) * learn why/what they've been using `lerna` for * @wesleytodd have a bit of a unique workflow compared to `release-please` offers (would prefer `npm update` to be able to handle this better) * @darcyclarke pivot points seem to be around hoist * @ljharb `npm` needs to ship a non-breaking workspace implementation * @ruyadorno has heard some complaints about the basics w/ current workspaces, has some ideas... * @ruyadorno we should wait until v8 to change the workspace implementation * @darcyclarke keep thinking about the opt-in "strategy" for `strategies` (ie. host/shared/global-style/legacy-bundling) * @wesleytodd would love opt-in changes shipped * @ljharb minor makes sense since it should only be better/more-strict (nomenclature `mode`s ?) * @ruyadorno does a different `mode` how workspaces get installed? * @ruyadorno we may still want to consider including the `nohost` config that Yarn v1 had * @ruyadorno is it a good idea to start work on the running commands in workspaces before we surface this?