#### Meeting from: August 11th, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Gar (@wraithgar) - Nathan Fritz (@fritzy) - Isaac Z. Schlueter (@isaacs) - Luke Karrys (@lukekarrys) - Tierney Cyren (@bnb) - Nathan LaFreniere (@nlf) - Alasdair Hurst (@alasdairhurst) ### Previously... - [2021-08-04](https://github.com/npm/rfcs/blob/latest/meetings/2021-08-04.md) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **Audit Improvements**: 1. Review Action Items from [previous deep-dive call](https://github.com/npm/rfcs/blob/latest/meetings/2021-08-04.md) 1. **PR**: [#18 npm audit and audit-resolve.json](https://github.com/npm/rfcs/pull/18) - `@naugtur` 1. **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - `@bnb` 1. **PR**: [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - `@bnb` 1. **RFC**: [#397 Peer dependencies should be able to match a full range of prerelease versions](https://github.com/npm/rfcs/pull/397) - `@alasdairhurst` 1. **RRFC**: [#430 Improving workspace terminology](https://github.com/npm/rfcs/issues/430) - `@jasonwilliams` 1. **RRFC**: [#428 npm publish should tell you the end point it's pushing too.](https://github.com/npm/rfcs/issues/428) - `@EvanCarroll` 1. **RRFC**: [#427 npmrc file improvements](https://github.com/npm/rfcs/issues/427) - `@EvanCarroll` 1. **RRFC**: [#425 npm-unpublish should have some type of warning when unpublishing package](https://github.com/npm/rfcs/issues/425) - `@pranavkhapra` ### Notes #### Review Action Items from [previous deep-dive call](https://github.com/npm/rfcs/blob/latest/meetings/2021-08-04.md) - @darcyclarke will provide an update &/or reference to backlogged work to be done to investigate UX/UI `npm audit` improvements ##### **PR**: [#18 npm audit and audit-resolve.json](https://github.com/npm/rfcs/pull/18) - `@naugtur` - @isaacs https://github.com/npm/arborist/pull/301 requires changes ##### **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - `@bnb` - @bnb no update - @isaacs notably the license SPDX string is not being included in lockfiles (will need to be added to corgi docs) - [ ] **Action:** queue up adding the metadata to corgi docs w/ the registry team ##### **PR**: [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - `@bnb` - @bnb: updated PR with some information, will update a bit more in-meeting to address "limiting scope" - https://github.com/npm/cli/pull/3452 #### **RRFC**: [#430 Improving workspace terminology](https://github.com/npm/rfcs/issues/430) - `@jasonwilliams` - @isaacs - ~"language is hard" - provided feedback/insight in the originating discussions here: https://github.com/npm/feedback/discussions/510 - @darcyclarke - has tried to map/visualize these terms as they relate to a - [ ] **Action:** make PR to amend original **Workspaces** RFC a picture/visual of our terminology w/ glossary - @fritzy - believe our definition is fine so long as we're consistent & glossary is explicit - [ ] **Action:** Add glossary to npm/cli docs ([rough draft](https://github.com/npm/feedback/discussions/510#discussioncomment-1155331)) - [ ] **Action:** editorial pass through existing npm/cli docs to make sure we're using these terms properly - [ ] **Action:** (nice to have) Automatically link words in docs to their glossary definitions (this might be too noisy/complicated?) #### **RRFC**: [#428 npm publish should tell you the end point it's pushing too.](https://github.com/npm/rfcs/issues/428) - `@EvanCarroll` - @naugter would be nice to have it print prior to 2fa prompt - [ ] **Action:** add registry target config output when using `npm publish` - [ ] **Action:** consider other commands that we may want to provide this output/context (start with write operations at first) #### **RRFC**: [#427 npmrc file improvements](https://github.com/npm/rfcs/issues/427) - `@EvanCarroll` - @isaacs - have been considering improvements internally - this initial discussion/issue doesn't go as far as we'd like if we're going to make a breaking change to `.npmrc`/config - `npm install --regsitry=foo` <- typos don't throw (ie. infinite options/config) - lets eliminate `nopt` - @naugter - consider making this an ecosystem package first & make it optional before shipping it by default - @darcyclarke - what about something like `--thrown-on-unkown` to curb the infinite supported config problem we have today - the fact that this is misspelled here in the notes is :male-cook: :kissing_closed_eyes: perfect - [ ] **Action:** audit config / propose a more comprehensive RFC #### **RRFC**: [#425 npm-unpublish should have some type of warning when unpublishing package](https://github.com/npm/rfcs/issues/425) - `@pranavkhapra` - @wraithgar want to be mindful that this would be specific to the npm public regitry's policies - @naugter this shouldn't be that distructive given the current policy around a 24hr window