Open RFC Meeting (npm)

#### Meeting from: April 20th, 2022 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Jordan Harband (@ljharb) - Philip Harrison (@feelepxyz) - Gar (@wraithgar) - Ruy Adorno (@ruyadorno) - Tierney Cyren (@bnb) - Owen Buckley (@thescientist13) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. Code of Conduct Acknowledgement 1. Outline Intentions & Desired Outcomes 1. Announcements - [**v9 Roadmap**](https://github.com/npm/statusboard/issues/443) (Check it out) - OpenJS World - https://openjsf.org/openjs-world-2021/ 1. **Issue**: [#572 [RRFC] remove `--access public` for initial publish of scoped modules](https://github.com/npm/rfcs/issues/572) - @bnb 1. **Issue**: [#571 [RRFC] make npm update useful for modern package management](v) - @bnb 1. **Issue**: [#570 [RRFC] `workspace-tag-version-prefix` config](https://github.com/npm/rfcs/issues/570) - @ljharb 1. **PR**: [#550 RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550) - @feelepxyz 1. **PR**: [#566 RFC: Command Specific Configuration](https://github.com/npm/rfcs/pull/566) - @darcyclarke 1. **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke 1. **Issue**: [#559 [RRFC] expanding behavior of `--before` to support date adjustment and setting via config](https://github.com/npm/rfcs/issues/559) - @MylesBorins 1. **Issue**: [#549 [RRFC] support different `--before` policy per package prefix/pattern](https://github.com/npm/rfcs/issues/549) - @osher 1. **Issue**: [#548 [RRFC] Add flag for running NPM commands in transitive dependencies](https://github.com/npm/rfcs/issues/548) - @zgriesinger 1. **Issue**: [#546 [RRFC] Clean up file ownership story](https://github.com/npm/rfcs/issues/546) - @ruyadorno 1. **Issue**: [#539 [RRFC] Security: audit lockfiles for injection](https://github.com/npm/rfcs/issues/539) - @fritzy 1. **PR**: [#519 RFC: Package Distributions](https://github.com/npm/rfcs/pull/519) - @darcyclarke 1. **Issue**: [#479 BREAKING CHANGE(bin): command should not return non-existent paths](https://github.com/npm/statusboard/issues/479) - @lineus 1. **Issue**: [#575 [FEATURE] run-script with workspaces should short-circuit on script error](https://github.com/npm/rfcs/issues/575) - @johndiiorio --- ### Notes #### **Issue**: [#572 [RRFC] remove `--access public` for initial publish of scoped modules](https://github.com/npm/rfcs/issues/572) - @bnb - @ljharb - would rather see a holistic approach to improving the UX of scoped pkgs, private vs public pkgs, etc - first make `npm init` default to `private: true` and then tweak the access values - @wraithgar - historically scoped packages were created hand to hand with private packages but that might not be the case anymore - it might make more sense today to tweak the value of these configs - @darcyclarke - `npm init` defaults to `private: true` in npm v9 - remove `--access public` when publishing a scoped package for the first time #### **Issue**: [#571 [RRFC] make npm update useful for modern package management](https://github.com/npm/rfcs/issues/571) - @bnb - @bnb - has had issues for years with having to navigate `npm outdated` & `npm update` - wants a direct/meaningful path to update dependencies - @wraithgar - you want something that gets `latest` updates? - ex. `npm-check-updates` - @bnb - yes. - wants a experience closer to `npm outdated` in which you can see the wanted vs latest published version to registry - @ljharb - there should be an interactive update mode: `npm update -i` - much simpler for the regular user to use an interactive interface to select what version of a dependency they want to update to - @ruyadorno - have been actively pushing against because of how many other items we have to address first - want a holistic approach to `--interactive` (so there's consistency approach across all the commands) - @feelepxyz - dependabot could delete a lot of code if `npm` add this - dependabot introduced different strategies to deal with different changes done by an update to `package.json` (ex. https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy) #### **Issue**: [#570 [RRFC] `workspace-tag-version-prefix` config](https://github.com/npm/rfcs/issues/570) - @ljharb - @ljharb - proposing a default syntax for handling the tag name, message #### **PR**: [#550 RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550) - @feelepxyz - @feelepxyz - ... #### **PR**: [#566 RFC: Command Specific Configuration](https://github.com/npm/rfcs/pull/566) - @darcyclarke - ... #### **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke - ... #### **Issue**: [#559 [RRFC] expanding behavior of `--before` to support date adjustment and setting via config](https://github.com/npm/rfcs/issues/559) - @MylesBorins - ... #### **Issue**: [#549 [RRFC] support different `--before` policy per package prefix/pattern](https://github.com/npm/rfcs/issues/549) - @osher - ... #### **Issue**: [#548 [RRFC] Add flag for running NPM commands in transitive dependencies](https://github.com/npm/rfcs/issues/548) - @zgriesinger - ... #### **Issue**: [#546 [RRFC] Clean up file ownership story](https://github.com/npm/rfcs/issues/546) - @ruyadorno - ... #### **Issue**: [#539 [RRFC] Security: audit lockfiles for injection](https://github.com/npm/rfcs/issues/539) - @fritzy - ... #### **PR**: [#519 RFC: Package Distributions](https://github.com/npm/rfcs/pull/519) - @darcyclarke - ... #### **Issue**: [#479 BREAKING CHANGE(bin): command should not return non-existent paths](https://github.com/npm/statusboard/issues/479) - @lineus - ... #### **Issue**: [#575 [FEATURE] run-script with workspaces should short-circuit on script error](https://github.com/npm/rfcs/issues/575) - @johndiiorio