#### Meeting from: December 2nd, 2020 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Ruy Adorno (@ruyadorno) - Christian Siebmanns (@christian24) - Nathan LaFreniere (@nlf) - Isaac Z. Schlueter (isaacs) - Bradley Farias (@bmeck) - Jordan Harband (@ljharb) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Announcements 1. **Issue**: [#287 [RRFC] Add nohoist option for workspaces](https://github.com/npm/rfcs/issues/287) - @socialwyze-franklin 1. **PR**: [#279 RFC for --default-command](https://github.com/npm/rfcs/pull/279) - @isaacs 1. **Issue**: [#275 [RRFC] `registry:<url>:<name>[@<version-range>]` dependency specifier](https://github.com/npm/rfcs/issues/275) - @isaacs 1. **PR**: [#273 RFC: npm workspaces - Config management](https://github.com/npm/rfcs/pull/273) - @ruyadorno ### Notes - Skipping next week OpenRFC call since we have GitHub Universe happening #### **Issue**: [#287 [RRFC] Add nohoist option for workspaces](https://github.com/npm/rfcs/issues/287) - @socialwyze-franklin - Queue up a deep-dive call to discuss this along with installation strategies, probably going to happen early January - @ljharb: hoisting might not be the ideal way to share dependencies across workspaces, we should come up with something better than that #### **PR**: [#279 RFC for --default-command](https://github.com/npm/rfcs/pull/279) - @isaacs - @ruyadorno: from @isaacs comment in the thread it seems improving `help-search` smarter sounds like the best solution until now - @christian24: `npr` bin is another possible avenue to help users that want a shorter/simpler `npm run-script` workflow - @darcyclarke: adding/maintaining a new binary might be extra work that we need to weigh - @isaacs: maybe we're trying to add something we don't necessarily want and/or need, let's backlog work on improving `help-search` and take the item out from the agenda and leave it there in case someone wants to chime in the future #### **Issue**: [#275 [RRFC] `registry:<url>:<name>[@<version-range>]` dependency specifier](https://github.com/npm/rfcs/issues/275) - @isaacs - @isaacs: replace second colon with a hash in the final implementation to simplify - @ruyadorno: we should also poke other package maintainers, Mael, Zoltan once the RFC PR is out - @isaacs: kinda extends aliases #### **PR**: [#273 RFC: npm workspaces - Config management](https://github.com/npm/rfcs/pull/273) - @ruyadorno - @christian24: maybe have a `npm workspaces init` to provide initial setup - @ruyadorno: The goal of the workspaces support is to suplement some of the functionalities provided by projects such as **Lerna** but we have no plans to work on some of its more complex features such as publishing workflows for example. #### [Experimental policies in Node.js](https://nodejs.org/api/policy.html) - @bmeck: Would like input from package managers, some categories of malware from the registry could be avoided by setting policies - @ljharb: You would need to opt-in to policies? - @bmeck: correct - @isaacs: having everything stop working in `npx` would be quite disruptive - @darcyclark: best neutral ground to bring over this discussion to bring over other package managers would be the [Node.js Package Maintenance Working Group](https://github.com/nodejs/package-maintenance/) - @darcyclarke: saw the "requested permissions" from the spec that would help out surface that information to users installing packages - @ljharb: It would be great to be able to tell what packages needs a given module (e.g: child_process), maybe using a npm top-level command (similar to how `npm fund` surfaces funding info)