Open RFC Meeting (npm)

#### Meeting from: August 3rd, 2022 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Nathan Fritz (@fritzy) - Ruy Adorno (@ruyadorno) - Jordan Harband (@ljharb) - Owen Buckley (@thescientist13) - Gar (@wraithgar) - - - - ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. Code of Conduct Acknowledgement 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **Discussion**: Auditing SLSA provenance 1. **Issue**: [#620 [RRFC] npm init add a new question: type => "commonjs/module"](https://github.com/npm/rfcs/issues/620) - @aladdin-add 1. **Issue**: [#619 [RRFC] New --ci flag for npm outdated command](https://github.com/npm/rfcs/issues/619) - @khalyomede 1. **PR**: [#618 RFC: `npm debug` command](https://github.com/npm/rfcs/pull/618) - @about-code 1. **Issue**: [#615 [RRFC] exportable config definitions](https://github.com/npm/rfcs/issues/615) - @fritzy 1. **Issue**: [#612 [RRFC] Support --cpu and --os flag to specify platform specific install](https://github.com/npm/rfcs/issues/612) - @archfz 1. **Issue**: [#610 [RRFC] Parallel script execution when value is set to an array of text.](https://github.com/npm/rfcs/issues/610) - @EvanCarroll 1. **PR**: [#5000 feat: add npm query cmd](https://github.com/npm/cli/pull/5000) - @ruyadorno 1. **PR**: [#595 Propose backwards-compatible improvements to compression](https://github.com/npm/rfcs/pull/595) - @EvanHahn 1. **PR**: [#593 Only Registry Dependencies](https://github.com/npm/rfcs/pull/593) - @thescientist13 1. **PR**: [#23 Add Singleton Packages RFC.](https://github.com/npm/rfcs/pull/23) - @usergenic ### Need Ratification - **PR**: [#591 RFC: Registry-scoped keyfile / certfile credential options](https://github.com/npm/rfcs/pull/591) - `@jenseng` - **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - `@darcyclarke` - **Issue**: [#438 [RRFC] Add libc fields to select optionalDependencies should be installed or skipped](https://github.com/npm/rfcs/issues/438) - `@Brooooooklyn` ### Notes #### **Discussion**: Auditing SLSA provenance - @ruyadorno - @laurent open source security team - opportunity to leverge the work at Google/SLSA to leverage this work - @laurent - do not trust github/other ci builds - involved in builders - have native builders running on GitHub - use reusable workflows - @ljharb - this work is focused on tieing builds back to packages - this seems impossible given all the dependencies build processes will have #### **Issue**: [#612 [RRFC] Support --cpu and --os flag to specify platform specific install](https://github.com/npm/rfcs/issues/612) - @archfz - @ljharb - trying to determine the usecase - @archfz - using wine - wants to opt-out of the check - suggests we wait for more community feedback - @ruyadorno - this could be tied together with the package distributions RFC - @wraithgar - if this is only related to the cpu/os checks & being able to avoid them then it's well scoped - if this bleeds into node-gyp config that is likely out of scope of `npm` #### **Issue**: [#620 [RRFC] npm init add a new question: type => "commonjs/module"](https://github.com/npm/rfcs/issues/620) - @aladdin-add - @ljharb - buggest problem with `type: "module"` is that people _think_ they **need** to change the type to be able to use ESM - having this as a question would cause way more confusion - @ruyadorno - doesn't agree with the sentiment - @ljharb - `.mjs` files = ESM & don't have to change anything in `pakcage.json` - @wraithgar - questions we ask today in `npm init` are locked-in - future questions are all available by definining a separate install module/config - @ljharb - would love a future addition/question to init (ex. "are you a package or a project?" ie. are you a maintainer or consumer) - @ruyadorno - ex. `npm pkg` to use #### **PR**: [#5000 feat: add npm query cmd](https://github.com/npm/cli/pull/5000) - @ruyadorno - @ruyadorno - PR has been merged - remove agenda label #### **Issue**: [#615 [RRFC] exportable config definitions](https://github.com/npm/rfcs/issues/615) - @fritzy - @wraithgar - just need to consolidate configs - @darcyclarke - migrating to statusboard #### **Issue**: [#619 [RRFC] New --ci flag for npm outdated command](https://github.com/npm/rfcs/issues/619) - @khalyomede - @wraithgar - this makes a lot of sense - should bikeshed the name (the name is confusing for sure) - should consolidate the flag for exit code - if we change the defaults we still need the flag - @ljharb - wish the default resukt for all commands respected old shell idioms #### **PR**: [#618 RFC: `npm debug` command](https://github.com/npm/rfcs/pull/618) - @about-code - @wraithgar - this seems like a new lifecycle script - on the `bin` changes, we'd need to rethink this - need more signals between `exec` & `run` - @ljharb - making debugging sounds valubale - should be able to just set the environment variable to acheive this - @ruyadorno - trying to set some default behaivour for this new `npm debug` command which is not great (`start` is also confusing for some folks) #### **Issue**: [#610 [RRFC] Parallel script execution when value is set to an array of text.](https://github.com/npm/rfcs/issues/610) - @EvanCarroll - ... #### **PR**: [#595 Propose backwards-compatible improvements to compression](https://github.com/npm/rfcs/pull/595) - @EvanHahn - ... #### **PR**: [#593 Only Registry Dependencies](https://github.com/npm/rfcs/pull/593) - @thescientist13 - ... #### **PR**: [#23 Add Singleton Packages RFC.](https://github.com/npm/rfcs/pull/23) - @usergenic - ...