# Feedback Call ### Attendees * Myles Borins (@MylesBorins) * Darcy Clarke (@darcyclarke) * Ruy Adorno (@ruyadorno) * Edward Thomson (@ethomson) * Meirav Feiler (@smeirsha) * Scott Densmore (@scottdensmore) ### Agenda Hand compiled by @MylesBorins ### Package meta data review Last meeting we spent the majority of time discussing Package Meta Data. Let's do a quick recap of what our plans our for work in this area. ### Improvements to 2FA + publishing + tokens Last quarter we launched npm automation tokens. We've received great feedback about ways that we can improve them. Let's discuss what we could prioritize next. * [Naming npm tokens](https://github.com/npm/feedback/discussions/67) * [Feedback on CI-specific auth codes](https://github.com/npm/feedback/discussions/44) * [2FA makes publishing from continuous deployment difficult](https://github.com/npm/feedback/discussions/8) * @ethomson we've done some work here by introducing automation tokens * @mylesborins per-package scoped automation tokens is on our radar/backlog * @mylesborins staged publishing has also been discussed before & we've talked about this a bit ### npm's role as a registry steward While we do have a current policy for claiming abandoned packages it seems folks are having a hard time finding this information. Further it might be time to consider a refresh of policy. Let's discuss. * [What happens to abandoned packages?](https://github.com/npm/feedback/discussions/82) * [Audit and/or validate certain "unique" details of package.json](https://github.com/npm/feedback/discussions/84) * [Packages that name-squat on built-in module names](https://github.com/npm/feedback/discussions/85) * @mylesborins should audit existing modules for overlap w/ native/built-ins * @mylesborins opportunity to do a review of our policies around disputes/resolutions * @mylesborins should define our role better ### Login + Auth Currently authenticating with multi-registries can be difficult and there isn't a clear path for support SSO. Let's discuss what the future of authentication could look like and how we could deeper integrate GitHub + npm accounts * [Support for Browser-Based Auth from CLIs](https://github.com/npm/feedback/discussions/46) * [Login with GitHub](https://github.com/npm/feedback/discussions/75) ### Frustration with CVEs and audit There has been awesome feedback in the ecosystem related to CVE reporting as well as dark patterns we are seeing in the ecosystem that create additional work for maintainers. Let's discuss the open discussion and see if we have ideas for next steps. * [Reduce the noise, work, and frustration from CVE reporting](https://github.com/npm/feedback/discussions/62) * Leave for the next meeting ### Additional Topics We may not have time for the below discussion topics in this week's meeting. If we get through the above topics we will do a quick review of the below topics and pick the ones we want to prioritize discussion around. #### Meta * [Specify the registry for a module](https://github.com/npm/feedback/discussions/87) #### Registry * [Document the registry endpoints](https://github.com/npm/feedback/discussions/55) * [npm publish finishes before publish is done](https://github.com/npm/feedback/discussions/68) * [Precompiled Binary Hosting](https://github.com/npm/feedback/discussions/80) * [Batch metadata](https://github.com/npm/feedback/discussions/88) #### CLI * [Workspaces in the npm CLI](https://github.com/npm/feedback/discussions/5) * [Make it easier to install a package from a pull request](https://github.com/npm/feedback/discussions/39) * [Add npm scripts as first level commands - `npm dev`](https://github.com/npm/feedback/discussions/54) * [Support for groups of dependencies (beyond just prod/dev)](https://github.com/npm/feedback/discussions/57) * [make engines field usable with postinstall scripts](https://github.com/npm/feedback/discussions/58) * [Lockfile interop between npm6 and 7](https://github.com/npm/feedback/discussions/59) * [Why is onload-script no longer supported?](https://github.com/npm/feedback/discussions/71) * [Fixing package-lock protocol jitter](https://github.com/npm/feedback/discussions/81) #### Website * [Add sorts to various random package views](https://github.com/npm/feedback/discussions/72) * [Remove 'npm is now part of GitHub' from npmjs.com](https://github.com/npm/feedback/discussions/79)