#### Meeting from: May 4, 2022
# Open RFC Meeting (npm)
### Attendees
- Darcy Clarke (@darcyclarke)
- Gar (@wraithgar)
- Nathan LaFreniere (@nlf)
- Ruy Adorno (@ruyadorno)
- Owen Buckley (@thescientist13)
- Jordan Harband (@ljharb)
-
### Agenda
1. **Housekeeping**
1. Introduction(s)
1. Code of Conduct Acknowledgement
1. Outline Intentions & Desired Outcomes
1. Announcements
- [**v9 Roadmap**](https://github.com/npm/statusboard/issues/443) (Check it out)
- OpenJS World - https://openjsf.org/openjs-world-2021/
2. **Issue**: [#572 [RRFC] remove `--access public` for initial publish of scoped modules](https://github.com/npm/rfcs/issues/572) - @bnb
- @ljharb
- From the previous discussion:
- add `private: true` to the default npm init boilerplate in npm9
- making the equivalent of currently using `--access public` the default if private=false
- @darcyclarke
- **Action item:**
- close the issue, backlog working items
3. **Issue**: [#571 [RRFC] make npm update useful for modern package management](https://github.com/npm/rfcs/issues/571) - @bnb
- @ljharb
- Having an interactive tool might drive better low level APIs
- @ruyadorno
- would be good to at least do a POC
- can be something as simple as `npm out -p | npx ipt | npm update`
- @darcyclarke
- **Action Item:**
- Backlog work on an interactive POC
4. **Issue**: [#570 [RRFC] `workspace-tag-version-prefix` config](https://github.com/npm/rfcs/issues/570) - @ljharb
- @ljharb
- open question seems to be single commit vs multiple commits
- expectations: doing all operations + git commit vs cd into folders, running operations, git commit and so on for each package
- simpler implementation might also be a good reason for picking the default behavior
- @wraithgar
- working on the release today, we noticed the need of having both commit and tag needs be templatized
- it have to be explicit config values
- @nlf
- +1 for two templates
- @darcyclarke
- **Action Item:**
- Backlog tickets to work on these
- @darcyclarke
- **Action Item:**
- Follow up with this offline, looks like there are different things that can be looked at, maybe aliases or registry protocol RFC
6. **PR**: [#566 RFC: Command Specific Configuration](https://github.com/npm/rfcs/pull/566) - @darcyclarke
- @ljharb
- need to be very specific on which command calls/invokes a secondary command behind the scenes (e.g: `npm publish` using `npm pack`) in which case it makes sense to forward configs
7. **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke
- @darcyclarke
- There's intention to start working on that soon
8. **Issue**: [#559 [RRFC] expanding behavior of `--before` to support date adjustment and setting via config](https://github.com/npm/rfcs/issues/559) - @MylesBorins
- @darcyclarke
- Believe this can be removed from the agenda
- @ljharb
- If there are going to be changes, we need to be looking at the Temporal proposal
- notation example ref: https://tc39.es/proposal-temporal/docs/duration.html
- Suggestion: use the temporal duration specification for the DSL
- could rely on a polyfill to start using it before the Temporal API is widely available (non-experimental) in node core
9. **PR**: [#550 RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550) - @feelepxyz
- @wraithgar
- Install can opt-in the signature validation using a config option
- @ljharb
- Assume the default should be to validate signatures by default as long it does not introduce a performance problem
- config options could be prefixed/nested to audit: `--no-audit-signatures`, `--no-audit-vulnerabilities` and `--no-audit` could opt out of all checks: vulns, signatures, licenses, etc
- @darcyclarke
- The current RFC only contains the proposal for a separated command (from `npm install`) that validates the signatures of installed packages
- **Action Item:**
- Look into ratifying this RFC
10. **Issue**: [#549 [RRFC] support different `--before` policy per package prefix/pattern](https://github.com/npm/rfcs/issues/549) - @osher
- @ljharb
- see this as potentially harmful
- @nlf
- if the idea is to install the specific versions that were available at a certain point in time, then someone can just use `overrides` to replace ranges for given packages to the specific versions they expect to use
- @wraithgar
- these are policies, registries should do this, not the cli
12. **Issue**: [#548 [RRFC] Add flag for running NPM commands in transitive dependencies](https://github.com/npm/rfcs/issues/548) - @zgriesinger
13. **Issue**: [#546 [RRFC] Clean up file ownership story](https://github.com/npm/rfcs/issues/546) - @ruyadorno
14. **Issue**: [#539 [RRFC] Security: audit lockfiles for injection](https://github.com/npm/rfcs/issues/539) - @fritzy
15. **PR**: [#519 RFC: Package Distributions](https://github.com/npm/rfcs/pull/519) - @darcyclarke
16. **Issue**: [#479 BREAKING CHANGE(bin): command should not return non-existent paths](https://github.com/npm/statusboard/issues/479) - @lineus
17. **Issue**: [#575 [FEATURE] run-script with workspaces should short-circuit on script error](https://github.com/npm/rfcs/issues/575) - @johndiiorio
Sign in with Wallet
Connect another wallet