#### Meeting from: July 22nd, 2020 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Christian Siebmanns (@christian24) - Ruy Adorno (@ruyadorno) - Isaac Z. Schlueter (@isaacs) - Claudia Hernández (@claudiahdz) - Lukas Spieß (@lumaxis) - Wes Todd (@wesleytodd) - Zbyszek Tenerowicz (@naugtur) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. Code of Conduct Acknowledgement 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#165 RFC for parent package.json](https://github.com/npm/rfcs/pull/165) - @Christian24 1. **Issue**: [#160 [Poll] Preference on how to filter workspaces](https://github.com/npm/rfcs/issues/160) - @ruyadorno 1. **PR**: [#150 RFC: Add file+pack dependency protocol](https://github.com/npm/rfcs/pull/150) - @RecuencoJones 1. **PR**: [#129 RFC: overrides](https://github.com/npm/rfcs/pull/129) - @isaacs 1. **PR**: [#126 RFC: Adding types information to the Package JSON in the registry](https://github.com/npm/rfcs/pull/126) - @orta 1. **PR**: [#117 RFC: npm workspaces - Running Commands](https://github.com/npm/rfcs/pull/117) - @ruyadorno 1. **PR**: [#114 RFC: Expand list of ignored files](https://github.com/npm/rfcs/pull/114) - @ruyadorno 1. **PR**: [#96 RFC: Add publish confirmation prompt](https://github.com/npm/rfcs/pull/96) - @ruyadorno 1. **PR**: [#18 npm audit resolve](https://github.com/npm/rfcs/pull/18) - @naugtur 1. **PR**: [#185 Add ability to skip script hooks](https://github.com/npm/rfcs/pull/185) - @lumaxis 1. **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb ### Notes ### Parent package.json - Problem description: managing multiple packages, would be great to reuse info across these - might be a very difficult problem to solve due to the complexities of the JavaScript ecosystem - workspaces in npm7 could also open up more possibilities (maybe challenges?) - implementation ideas: - no package.json extension at install time - disallow publishing of extensions keys to the registry - [read-package-json](https://github.com/npm/read-package-json) / [read-package-json-fast](https://github.com/npm/read-package-json-fast) - add logic to merge package.json during pack tarball time - we could ship it in a v7-minor release - need research to land in the exact key to use in package.json - TS currently uses "extends" - if we allow users to extend from published versions in the registry it gets way harder to build the ideal install tree (might need to add read-package-json as a pacote dep, etc) - should it be a ref to published package or to a file? - limiting consumption to exclude git-specs already simplifies by a lot the surface for end consumers that would not have to deal how package authors publish tags, etc - def have some details to be figured out ### Preference on how to filter workspaces - Let's document the results in the RFC ### Add publish confirmation prompt - RFC ratified :+1: ### Audit resolve - @naugtur updated the RFC and updated JSON Schema ### Add ability to skip script hooks - Fix to strange behavior of `--ignore-scripts` in `npm run-script` - When running `npm test --ignore-scripts` it's more intuitive to skip `pretest` and `posttest` - Could it be tweaked to ignore specific lifecycle (e.g `postinstall`) when running `npm install`? - ref: https://npm.community/t/add-ignore-script-scripts/4169/18 - That should be a diff RFC/discussion - RFC ratified :+1: ### npm audit licenses - license checker built into npm cli itself - command: `npm audit license` - might interact with the audit resolve proposal on how to block/ignore/allow results - should be part of the default `audit`, some niceties like having results at install time - missing a better control at level, since some of the problems might not have a solution, same as current `audit` implementation (are probably going to be better once audit resolve is available)