Open RFC Meeting (npm)

#### Meeting from: February 17th, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Gar (@wraithgar) - Isaac Z. Schlueter (@isaacs) - Nathan LaFreniere (@nlf) - Ruy Adorno (@ruyadorno) - Jordan Harband (@ljharb) - Victor Vlasenko (@larixer) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **Issue**: [#325 [RRFC] Run preinstall / postinstall scripts on single package installation](https://github.com/npm/rfcs/issues/325) - @karlhorky 1. **Issue**: [#324 [RRFC] Prefer peerDependencies over regular dependencies, when both specified together](https://github.com/npm/rfcs/issues/324) - @larixer 1. **Issue**: [#323 [RRFC] Improve experience and security around npx and scoped packages](https://github.com/npm/rfcs/issues/323) - @dominykas 1. **Issue**: [#327 Drop support for installing other-platform optionalDependencies with --force](https://github.com/npm/rfcs/issues/327) - @isaacs 1. **PR**: [#321 feat(no-tag-publish): add proposal for a no-tag publish](https://github.com/npm/rfcs/pull/321) - @wraithgar 1. **PR**: [#319 feat(multiple-dist-tags): add proposal for multiple dist-tags](https://github.com/npm/rfcs/pull/319) - @wraithgar 1. **PR**: [#317 Publish set the tag accordingly to the semver version number](https://github.com/npm/rfcs/pull/317) - @Divlo 1. **PR**: [#314 RFC: `registry:` dependency specifiers](https://github.com/npm/rfcs/pull/314) - @isaacs 1. **Issue**: [#313 [RRFC] Add method for getting help on config option](https://github.com/npm/rfcs/issues/313) - @Yash-Singh1 1. **Issue**: [#2610 [BUG] NPM v7 uses SSH instead of an explicit HTTPS for GitHub repos](https://github.com/npm/cli/issues/2610) - @uhop 1. **PR**: [#117 RFC: npm workspaces - Working with workspaces](https://github.com/npm/rfcs/pull/117) - @ruyadorno ### Notes #### **Issue**: [#325 [RRFC] Run preinstall / postinstall scripts on single package installation](https://github.com/npm/rfcs/issues/325) - @karlhorky * @ljharb seems like there's confusion between installing me as a package & running a script when I install something else * @isaacs maybe @wraithgar can help here, has been doing work to clean up the documentation around lifecycle scripts * @darcyclarke could use hook-scripts potentially to solve for this * @isaacs would not use hook-scripts as a good API/tool for this * @ruyadorno we need this in the `npm` CLI * @wraithgar will keep this in mind with the work being done to document lifecycle scripts #### **Issue**: [#324 [RRFC] Prefer peerDependencies over regular dependencies, when both specified together](https://github.com/npm/rfcs/issues/324) - @larixer * @larixer describes the example of working with a framework (such as next.js) that depends on a package (such as webpack) which also uses a plugin ecosystem (such as webpack loaders) that declares the intermediate (webpack) package as a peer dependency while the top-level app also declares the intermediate package (webpack) as a dependency. * @ljharb usually having a flexible peer dependency semver range helps out resolving the dependency tree and avoid duplication * @isaacs v7 will try to pick a version of the same peerDependencies if the ranges can be eaisly resolved - conflicting ranges will cause an ERESOLVE error * @isaacs it's possible now to have a pkg be in both devDependencies AND dependencies with different declared semver ranges and PROD will always be picked up over dev on `npm install` * @isaacs added the fix for preferring peer over prod * @isaacs ACTION: create a bug against Arborist for this * @isaacs/victor ACTION: update package.json docs with the logic for preferences when resolving #### **Issue**: [#323 [RRFC] Improve experience and security around npx and scoped packages](https://github.com/npm/rfcs/issues/323) - @dominykas * @isaacs `npx` looks into the local `node_modules/.bin` directory first * @dominykas _describes the [many scenarios](https://github.com/npm/rfcs/issues/323) from the RRFC examples_ * @isaacs since npm6 the cli will avoid clobbering bin in the global space but it still allowes that in local node_modules since changing that would be too disruptive to the ecosystem * @isaacs looks like we can follow up tracking many these issues offline/async after the call #### **Issue**: [#327 Drop support for installing other-platform optionalDependencies with --force](https://github.com/npm/rfcs/issues/327) - @isaacs * @isaacs conceptually the `--force` option in the cli will often opt-into the "less safe" resolution for a given problem #### **PR**: [#321 feat(no-tag-publish): add proposal for a no-tag publish](https://github.com/npm/rfcs/pull/321) - @wraithgar * @wraithgar currently there's no way to publish/upload to registry without a tag, adding it could mean possibly breakages for folks relying on the current behavior, in which publishing with `--no-tag` would end up publishing to the registry to a `"false"` tag. * @wraithgar another point is that currently the public registry does not support publishing without a tag and will return a `400` error, on the other hand other registry implementations (such as GitHub packages) will work as intended. * @isaacs currently the `--tag` option is only a string, so using that as a boolean (such as `--no-tag`) will coerce its value to a string. * @isaacs maybe the `tag` option for install and a different option name for publish - essentially they should be two different option names. #### **PR**: [#319 feat(multiple-dist-tags): add proposal for multiple dist-tags](https://github.com/npm/rfcs/pull/319) - @wraithgar * @wraithgar commas are actually valid characters in tag names, so we can not use a comma-separated value to declare those