Open RFC Meeting (npm)

#### Meeting from: November 10th, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Bradley Farias (@bmeck) - Isaac Z. Schlueter (@isaacs) - Matt Hayes (@mysterycommand) - Nathan Fritz (@fritzy) - Francisco Tolmasky (@tolmasky) ### Previously... - [2021-11-03](https://github.com/npm/rfcs/blob/latest/meetings/2021-11-03.md) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#488 Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/488) - @tolmasky 1. **PR**: [#486 Resolved registry overrides](https://github.com/npm/rfcs/pull/486) - @everett1992 1. **Updates for:** 1. **PR**: [#481 RFC: Run `prepare` Scripts for Linked Bundled Dependencies](https://github.com/npm/rfcs/pull/481) - @mysterycommand 1. **PR**: [#375 Define which dependencies are shared among workspace projects](https://github.com/npm/rfcs/pull/375) - @isaacs ### Notes #### **PR**: [#488 Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/488) - @tolmasky - @tolmasky - brief: want to start the discussion around this change (ie. replace behaivour of lifecycle scripts being run by defaut) - continuing to do investigation on registry usage - would like to have analysis to show/look at - @bmeck - currently shipping pre-built binaries at datadog but have fallback package.json#scripts - did investigation & found issues when ignored scripts during install & found a number of cases where builds were breaking because of arbitrary code execution - E.G. binding.gyp file forces a node-gyp execution even w/o scripts in package.json - @mylesborins - has been doing investigation in this space - two concerns with a change this large: - DX / adoption could be an issue (ex. peer deps changes have made it harder for folks to upgrade) - want to be mindful of how we role this out - @bmeck - mindful of when people talk about "security theater" - these points should be enumerated - shipping pre-built binaries is one way to address some of these problems but it probably moves that operation further upstream (still need to build the binary at some point, probably in CI) - @isaacs - a change like this would reduce the attack surface but... - since we still install & help you run code, someone could still be vulnerable - there are some current work-arounds that cleaverly work to support some of the binary/variant package use-cases (ex. optional dependency fallbacks w/ bootloader) - @tolmasky - there is multiple dimensions & stackholders here - seems like for some this could be the least of their concerns vs. this is the only thing they care about - if your attack surface is expected to only ever be the browser then you don't really have an understanding of your machine being compromised when installing dependecies - would like this to be the start of a theme of changes/feature improvements that trend towards a place where this isn't a major change for the ecosystem - would be good to detemine what an exhaustive list of what install scripts are used to do today(?) - @everett1992 - best thing that could be done for this RFC would be to get analysis done & show the data - @mylesborins - we're doing some research here into the usage/use-cases which encompases numersous runtimes and environments - what may be good is to define what develoiper experiences we would break today with these kinds of changes (requires another form of research) - we're starting to investigate different classes of packages (ex. focus on popular packages having different restrictions/conditions) - @darcyclarke - `hasInstallScript` exists in the corgi/packument documents in the registry which may be helfpul for determining if scripts have been introduced between versions - @bmeck - a concern with focusing on popular packages is that developers machines are often lesser in download counts and various low download packages are actually bundled in other ones (E.G. common MIME DB off top of my head) #### **PR**: [#486 Resolved registry overrides](https://github.com/npm/rfcs/pull/486) - @everett1992 - @everett1992 - v6 to v7 issues with how shrinkwrap stores `resolve` keys - the behaivour assumes the path is the same for the destination of tarball as well as the pakument - have custom build tools that just delete the resolve key - @isaacs - recording the registry value in lockfiles has been/is a magic value & thorny issues have fallen out of its implementation - **Actions:** - set up call #### **PR**: [#481 RFC: Run `prepare` Scripts for Linked Bundled Dependencies](https://github.com/npm/rfcs/pull/481) - @mysterycommand - @mysterycommand - has made some progress with the hacky solution (ie. hardcoding pack/perpare using --workspaces flags) - caveat is that it doesn't work further then one level - **Actions:** - create reporduction/isolated use-case in a repo (to collaborate on) #### **PR**: [#375 Define which dependencies are shared among workspace projects](https://github.com/npm/rfcs/pull/375) - @isaacs - No update - **Actions:** - @isaacs will meet with @ljharb in the next week