Open RFC Meeting (npm)

#### Meeting from: May 25th, 2022 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Nathan LaFreniere (@nlf) - Jordan Harband (@ljharb) - Owen Buckley (@thescientist13) - Ruy Adorno (@ruyadorno) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. Code of Conduct Acknowledgement 1. Outline Intentions & Desired Outcomes 1. Announcements - [**v9 Roadmap**](https://github.com/npm/statusboard/issues/443) (Check it out) - OpenJS World - https://openjsf.org/openjs-world-2021/ 1. **PR**: [#593 Only Registry Tarballs](https://github.com/npm/rfcs/pull/593) - @thescientist13 1. **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke 1. **Issue**: [#575 [FEATURE] run-script with workspaces should short-circuit on script error](https://github.com/npm/rfcs/issues/575) - @johndiiorio ### Notes #### **PR**: [#593 Only Registry Tarballs](https://github.com/npm/rfcs/pull/593) - @thescientist13 - @thescientist13 - Bringing in as an RFC the results of the conversations in the original RRFC issue (https://github.com/npm/rfcs/issues/581) discussed previously in these meetings - @ljharb - Thinks it's very important to handle five different modes: - silent - warn on indirect deps - warn on direct deps - warn on everything - fail on everything - @darcyclarke - Potential in the future for this to be augmented/have more granular control, once `npm query` lands - @ljharb - There's a need for more **npm** commands to be more granular on what packages they act on - @darcyclarke - Better to hold on for now on adding any new way to filter/group packages until we have `npm query` out and see how we can best serve all these scenarios in a more holistic way - Stick with 3 modes: - warn on any git dep (default) - silent (same as today, opt-in) - strict / fail on any git dep (opt-in) - @ljharb - Too strong on transitive dep maintainers to then switch to strict mode by default - Avoiding maintainer burnout should always be a priority - @darcyclarke - There was a research from @naugtur showing that there's less than 1% of usage of git deps within top 10K packages, [ref](https://github.com/naugtur/research/blob/036ed9c84257c5d22d9952f765b0c95fd0ca5d85/git-deps/gits.md). - Sounds like we're blocked on making a decision here until `npm query` is ready. - @ljharb - RFC should be worded to include any remote-dep that is not coming from the registry (local linked deps are ok) but remote tarballs should also be included - Should relate the RFC to `npm audit` instead of tie it to `npm install` then it becomes auditing of dependency types (or similar), then install can one day maybe become configurable to failing if audit (or type audit) fails - @thescientist13 - Will clean the RFC up and incorporate all the feedback #### **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke - @ruyadorno - will demo something next week #### **Issue**: [#575 [FEATURE] run-script with workspaces should short-circuit on script error](https://github.com/npm/rfcs/issues/575) - @johndiiorio - ...