Open RFC Meeting (npm)

#### Meeting from: July 13th, 2022 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Gar (@wraithgar) - Jon Jensen (@jenseng) - Nathan Fritz (@fritzy) - David Zearing (@dzearing (dzearing@microsoft.com)) - Jordan Harband (@ljharb) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. Code of Conduct Acknowledgement 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#5000 feat: add npm query cmd](https://github.com/npm/cli/pull/5000) - @ruyadorno 1. **PR**: [#595 Propose backwards-compatible improvements to compression](https://github.com/npm/rfcs/pull/595) - @EvanHahn 1. **PR**: [#593 Only Registry Tarballs](https://github.com/npm/rfcs/pull/593) - @thescientist13 1. **PR**: [#591 RFC: Registry-scoped keyfile / certfile credential options](https://github.com/npm/rfcs/pull/591) - @jenseng 1. **Issue**: [#489 Initiative: `v8.x`](https://github.com/npm/statusboard/issues/489) - @darcyclarke 1. **Issue**: [#487 Initiative: `v10.x`](https://github.com/npm/statusboard/issues/487) - @darcyclarke 1. **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke 1. **Issue**: [#443 Initiative: `v9.x`](https://github.com/npm/statusboard/issues/443) - @darcyclarke 1. **Issue**: [#438 [RRFC] Add libc fields to select optionalDependencies should be installed or skipped](https://github.com/npm/rfcs/issues/438) - @Brooooooklyn 1. **PR**: [#165 RFC for parent package.json](https://github.com/npm/rfcs/pull/165) - @Christian24 ### Notes #### **PR**: [#5000 feat: add npm query cmd](https://github.com/npm/cli/pull/5000) - @ruyadorno - @wraithgar - added `from` field to resulting json from `npm query` - @darcyclarke - will add updates back to the RFC & ratify #### **PR**: [#595 Propose backwards-compatible improvements to compression](https://github.com/npm/rfcs/pull/595) - @EvanHahn - No update #### **PR**: [#593 Only Registry Tarballs](https://github.com/npm/rfcs/pull/593) - @thescientist13 - No update #### **PR**: [#591 RFC: Registry-scoped keyfile / certfile credential options](https://github.com/npm/rfcs/pull/591) - @jenseng - @jenseng - open three PRs (under review) - notably implementation uses sync operation - @ljharb - `fs.readFileSync` is totaly fine to use - @darcyclarke - ratify #### **Issue**: [#489 Initiative: `v8.x`](https://github.com/npm/statusboard/issues/489) - @darcyclarke #### **Issue**: [#443 Initiative: `v9.x`](https://github.com/npm/statusboard/issues/443) - @darcyclarke #### **Issue**: [#487 Initiative: `v10.x`](https://github.com/npm/statusboard/issues/487) - @darcyclarke #### **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke - @darcyclarke - Update based on WIP PR (case sensitive attributes & `from` field) & ratify (including spec for programmatic usage & returned values) #### **Issue**: [#438 [RRFC] Add libc fields to select optionalDependencies should be installed or skipped](https://github.com/npm/rfcs/issues/438) - @Brooooooklyn - @darcyclarke - this would be the last priveledged top-level field for conditional packages beyond more holistic enhancements to distributions #### **PR**: [#165 RFC for parent package.json](https://github.com/npm/rfcs/pull/165) - @Christian24 - @darcyclarke - Waiting on @wesleytodd's feedback/input #### `singleton` https://github.com/npm/rfcs/pull/23 - @dzearing - 4 problems to address: - producer packages can't declare themselves singletons, leaving it up to others to decide via peers - hosts can't declare dependencies as singletons, so the tools end up duplicating singletons and bulky things that would be best installed once - peers aren't well enforced, the term "peer" does not imply "singleton" so there is clear understanding of when something should be listed as a dependency or dev dependency - when duplicates show up, no error messaging explains how to fix. If there is a way for producers to declare singleton expecetations, and a way for consumers to override either default or singleton policies, error messages can explain much more easily how to resolve. - MS is looking to do this as a prototype - tool to read policy metadata and run after post install to clearly list the problems and potential resolutions - learn from experiment; if it is a viable replacement to peers, we should consider moving it into cli - @ljharb - this is definitely a problem - there's an education problem with the community - peer dependencies are basically a hoised requirement - used to use `npm ls` to highlight issues with projects - maintainers are not allows accurately understanding usage - @wraithgar - still have to declare peer dependency (even if your dep denotes it's a singleton)