Open RFC Meeting (npm)

#### Meeting from: September 29th, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Gar (@wraithgar) - Rick Markins (@rxmarbles) - Isaac Z. Schlueter (@isaacs) - Nathan Fritz (@fritzy) - Luke Karrys (@lukekarrys) - Jordan Harband (@ljharb) ### Previously... - [2021-09-22](https://github.com/npm/rfcs/blob/latest/meetings/2021-09-22.md) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **Issue**: [#445 ⚠️ [RRFC] Breaking changes for `npm@8`](https://github.com/npm/rfcs/issues/445) - @nlf 1. **PR**: [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb 1. **Issue**: [#466 [RRFC] `npm publish --if-needed`](https://github.com/npm/rfcs/issues/466) - @ljharb 1. **PR**: [#434 Support package-lock.json v3 in npm 7](https://github.com/npm/rfcs/pull/434) - @remcohaszing ### Notes #### **Issue**: [#445 ⚠️ [RRFC] Breaking changes for `npm@8`](https://github.com/npm/rfcs/issues/445) - @nlf - @wraithgar - only update here is that `node-gyp` will also get update in `npm@8` #### **PR**: [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb - @darcyclarke - no updates from last week (need to create new RFC) #### **Issue**: [#466 [RRFC] `npm publish --if-needed`](https://github.com/npm/rfcs/issues/466) - @ljharb - @ljharb - `npm publish` is not repeatable today - @isaacs - `npm publish` should just work this way - should have been a `PUT` & not a `POST` - `npm publish` checks for existing versions, so we'd have to add `--force` - @bnb - could this be adapted for `npm unpublish` - **Action:** - [ ] @darcyclarke backlog work item to add `--force` support to `publish` - [ ] @darcyclarke backlog work item to add repeatable publishes for the same `dist.shasum` #### **PR**: [#434 Support package-lock.json v3 in npm 7](https://github.com/npm/rfcs/pull/434) - @remcohaszing - @isaacs - **Action:** - [ ] @isaacs will review & ratify - [ ] @darcyclarke to backlog work item #### Changing to Cache dir away from global - @bnb - has been some feedback/comms around the usecase of setting `prefix` to a user owned dir vs. the default global path - this is mostly to address new users & their DX - @isaacs - you want node/npm in your path - @ljharb - ideally, new users aren't managing/installing node on their own (ex. node version managers, node installers etc.) - @wraithgar - it's in everyone's best interest to point new users to a version manager/tool #### New TLS Enforcement on the npm Registry - @ljharb - for `nvm`, it doesn't seem like there's any option to continue to support old versions of npm (ex. `npm@1`), node & run CI for them - @isaacs - the thing that is blocking is that the old version of node can no longer connect to the npm registry - only work around would be to compile node w/ a newer version of openssl - @ljharb - for security purposes what does this change help prevent