Open RFC Meeting (npm)

#### Meeting from: October 14h, 2020 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Christian Siebmanns (@christian24) - Ruy Adorno (@ruyadorno) - Isaac Z. Schlueter (@isaacs) - Myles Borins (@MylesBorins) - Jordan Harband (@ljharb) - Wes Todd (@wesleytodd) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#239 describe how npm 7 handles peer conflicts](https://github.com/npm/rfcs/pull/239) - @isaacs 1. **Issue**: [#238 [RRFC] Deprecating the npx package from the public registry](https://github.com/npm/rfcs/issues/238) - @ruyadorno 1. **PR**: [#235 Allow server generated header values](https://github.com/npm/rfcs/pull/235) - @doddi 1. **PR**: [#138 RFC: Add configurable data to HTTP header](https://github.com/npm/rfcs/pull/138) - @mykyta / @doddi 3. **Issue**: [#225 [RRFC] Add support to plugin dependencies.](https://github.com/npm/rfcs/issues/225) - @mshima 4. **PR**: [#217 RFC: add registry per package per organisation](https://github.com/npm/rfcs/pull/217) - @baloran 5. **Issue**: [#155 [RRFC] Deprecated packages: automatically display dependents, to ease notifying maintainers](https://github.com/npm/rfcs/issues/155) - @dandv ### Notes * Announcement: released npm v7.0.0! https://blog.npmjs.org/post/631877012766785536/release-v700 * still work to be done * **PR**: [#239 describe how npm 7 handles peer conflicts](https://github.com/npm/rfcs/pull/239) - @isaacs * @isaacs: two weird bugs found that will be fixed in `7.0.1` * breaks yargs * @isaacs: good suggestions in the PR about styling & strictness (may want to land these in v8 or later) * **Action:** @isaacs to merge in RFC to `implemented/` * **overrides** tangent: * @ruyadorno: **overrides** spec may help w/ peer dep conflicts * @isaacs: some hazards w/ conflict resolution w/ **overrides** especially when we save the dep back to `package.json` * @ruyadorno: want to avoid the arbitrary resolution algo * @wesleytodd: sounds like we need to add a warning when you go to `npm i x` & you've got an `overrides` value for `x` * @isaacs: could save a very specific override based on the peer dep resolution * @ljharb: can warn about changes to your override `x@1.0.1` to `x@1.0.2` * @ljharb: this workflow/design may have some overlap with audit resolving * 1. **Issue**: [#238 [RRFC] Deprecating the npx package from the public registry](https://github.com/npm/rfcs/issues/238) - @ruyadorno * @wesleytodd: concern/hazard about the breaking changes/behaivor in the new version which means deprecation would make it harder for users to use the old version or see a noisey deprecation warning * @isaacs: `npx` has bundled npm@5 & vice versa in the past, which is bad/strange * @isaacs: `npx` was mostly a POC without many updates as it's challenging to maintain in both places * @wesleytodd: we could just leave it there * @isaacs: deprecation seems like the most relevant state since we are no longer maintaining that repository * @mylesborins: can `npx` just shell out to `npm exec` in a new major version `npm@7` * @ljharb: can deprecate every version but that major for a specific version of time * @isaacs: RFCs or patches welcome * Action: @darcyclarke to add deprecation warning to the npx package README * Action: we'll continue down this path to deprecate for npm@7 "GA" (ie. once we cut it over as `latest`) 1. **PR**: [#235 Allow server generated header values](https://github.com/npm/rfcs/pull/235) - @doddi 1. **PR**: [#138 RFC: Add configurable data to HTTP header](https://github.com/npm/rfcs/pull/138) - @mykyta / @doddi * Action: add support for header objects in `npm config` * Action: investigate if npm@6 already supports sending `headers` today 1. **Issue**: [#225 [RRFC] Add support to plugin dependencies.](https://github.com/npm/rfcs/issues/225) - @mshima * @ljharb: just use `npx` * @wesleytodd: believe there may be a misunderstanding here; Swapping files out shouldn't be breaking anything * @ljharb: seems like there's alternative approaches to some of these niche problems that are ending up in requsts to add to/increase the scope of `dependencies` specs & schema * @ruyadorno: seems like another reason why we should update & pull out a programmatic version of `npx` into something like `libnpmexec` 1. **PR**: [#217 RFC: add registry per package per organisation](https://github.com/npm/rfcs/pull/217) - @baloran * @ruyadorno: concerned about this having edges to land in a **minor** vs. a **major** (feels like we may have missed the boat) * @isaac: shouldn't be that bad * @wesleytodd: would always be easier/nicer to ship in a major * @darcyclarke: could patch `7.0.1` to throw a warning if we find this config being used * @weslesytodd: don't want to block but there is a security/hazard for teams with this * @isaacs: may be less hazardous based on the scope they're defining * @ljharb: think its best to warn across older versions