#### Meeting from: September 1st, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Gar (@wraithgar) - Vincent Bailly (@VincentBailly) - Isaac Z. Schlueter (@isaacs) - Nathan Fritz (@fritzy) - Owen Buckley (@) - Nathan LaFreniere (@nlf) ### Previously... - [2021-08-25](https://github.com/npm/rfcs/blob/latest/meetings/2021-08-25.md) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **`npm` v8 Plan:** https://github.com/npm/rfcs/issues/445 ~ @nlf 1. **PR**: [#441 addendum: overrides apply if value matches, as well as key](https://github.com/npm/rfcs/pull/441) - @isaacs 1. **PR**: [#437 RFC: Robust Lifecycle Scripts](https://github.com/npm/rfcs/pull/437) - @fritzy 1. **PR**: [#436 new installation mode: pure-mode](https://github.com/npm/rfcs/pull/436) - @VincentBailly 1. **PR**: [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb 1. **PR**: [#126 RFC: Adding types information to the Package JSON in the registry](https://github.com/npm/rfcs/pull/126) - @orta ### Notes #### **`npm` v8 Plan:** https://github.com/npm/rfcs/issues/445 ~ @nlf - @nlf - want to set ourselves up for success in the future - `npm@8` should drop support for `node@10` - `npm@7` had a number of issues when consumers upgraded - `npm@8` should refuse to install a version of itself that is not compatible with the current `node` version for end-users - @ljharb - "What about the 'stricter peer deps' change becoming default?" - @nlf - we want to keep the number or breaking changes to a limited set - @isaacs - the "refuse to install a breaking version of the CLI" is a `npm@7` change we'll make to help with migration to `npm@8` - in terms of 'stricter peer deps' as - @wraithgar - the less that breaks, the more likely we are to land this version of `npm` into `node@8` #### **PR**: [#441 addendum: overrides apply if value matches, as well as key](https://github.com/npm/rfcs/pull/441) - @isaacs - @isaacs - we need to keep track of overriden nodes in the tree somehow - making this ammendment ensures that string or dot members can match on current node so that we can apply override nodes properly - there are some implications - **Actions:** - [ ] @isaacs to pull in changes to spec #### **PR**: [#437 RFC: Robust Lifecycle Scripts](https://github.com/npm/rfcs/pull/437) - @fritzy - @fritzy - no updates from last week - **Actions:** - [ ] @fritzy to flush out the rest of the RFC sections #### **PR**: [#436 new installation mode: pure-mode](https://github.com/npm/rfcs/pull/436) - @VincentBailly - @VincentBailly - based on last week's meeting notes/action items: - On SemVer: There isn't a need to make this a major version bump as it is an opt-in feature - it can wait to be introduced in a major if we _want_ to - On Breaking Changes: Packages that rely on the hoisting behavior for shadow dependencies, usually accidentally. - Examples of Broken Projects: Packages that do static analysis, Amazon Web Services & React Native projects do not support symlinks & would be broken by a strict-mode/symlinked mode - the examples of broken projects does not feel scary, personally, & is following a paved-path by other package managers (ex. `pnpm` & `yarn`) - @isaacs - had a sync w/ @fritzy & @vincentbailly - potential for lockfile & node_modules folder to not be accurate based on the initial implementation strategy we've discussed to transmute the tree between modes - that said, the hidden lockfile should always be accurate - there is a spearate conversation happening about the sharing of deps in a separate issue (#375) - @vincentbailly - there was a question about whether or not this pertains to just Workspace projects or to all projects - the answer to this is that this RFC, & corresponding work, should apply to **all** projects - seems to be some confusion in the vocabulary - **Actions:** - [ ] @vincentbailly will reframe the RFC to be more clear & direct people to #375 (ie. focus on motivation) - [ ] @vincentbailly will come up with options for a new name, as "Pure Mode" isn't well recieved by everyone (potentially run a poll using emojis) - [ ] @vincentbailly to review RFC to ensure it is clear that this mode applies to **all** `npm` projects #### **PR**: [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb - @bnb - updated the RFC based on the last set of action items - there is some discussion around trust sources - not sure how important that feedback is to consider - @darcyclarke - has @asciimike jumped in & been able to help at all? - @bnb - yes - **Actions:** - [ ] @darcyclarke to add comments/feedback about API design (ie. `npm audit assert --module=<package spec>` vs. `npm audit asser <package spec>`) #### **PR**: [#126 RFC: Adding types information to the Package JSON in the registry](https://github.com/npm/rfcs/pull/126) - @orta - @wraithgar - no evaulation of `flow`, no one has asked for this - dropped `flow` - **Actions:** - [ ] @wraithgar to pull in [PR #103, adding `types` field to `read-package-json`](https://github.com/npm/read-package-json/pull/103) - future publishes will now have that metadata included