Open RFC Meeting (npm)

#### Meeting from: June 1st, 2022 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Gar (@wraithgar) - Jon Jensen (@jenseng) - Owen Buckley (@thescientist13) - Jordan Harband (@ljharb) - Nathan LaFreniere (@nlf) - Ruy Adorno (@ruyadorno) - - - ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. Code of Conduct Acknowledgement 1. Outline Intentions & Desired Outcomes 1. Announcements - [**v9 Roadmap**](https://github.com/npm/statusboard/issues/443) (Check it out) - OpenJS World - https://openjsf.org/openjs-world-2021/ 1. **PR**: [#595 Propose backwards-compatible improvements to compression](https://github.com/npm/rfcs/pull/595) - @EvanHahn 1. **PR**: [#593 Only Registry Tarballs](https://github.com/npm/rfcs/pull/593) - @thescientist13 1. **PR**: [#591 RFC: Registry-scoped keyfile / certfile credential options](https://github.com/npm/rfcs/pull/591) - @jenseng 1. **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke ### Notes #### **PR**: [#595 Propose backwards-compatible improvements to compression](https://github.com/npm/rfcs/pull/595) - @EvanHahn - Sounds like a good idea but we would need a JavaScript implementation (similar to how we have `tar` today) in order to impleement it - Overall sentiment is that the compression improvement is welcome but it looks like it would take a proof of concept and challenge some of the edge cases to see if there are any unintended consequences, etc #### **PR**: [#593 Only Registry Tarballs](https://github.com/npm/rfcs/pull/593) - @thescientist13 - Needs more clarification: - add the flag to `npm audit` instead of `npm install` ? - as long as the lock file is available `npm audit` will work as expected. - `npm install` should have a flag to respect the status of `npm audit` - `eslint`-like config needs to exist for `npm audit` - these configs could/would have three different values (ex. off/warn/fail) - current set of audit checks can/would include: - peer deps - engines - vulnerabilities - signatures - dependency-types - licenses - **Actions:** - [ ] @thescientist13 to update RFC based on feedback #### **PR**: [#591 RFC: Registry-scoped keyfile / certfile credential options](https://github.com/npm/rfcs/pull/591) - @jenseng - @wraithgar - this was an oversight - should have always worked this way #### **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke - @ruyadorno - still a WIP - will have more to show next week