Open RFC Meeting (npm)

#### Meeting from: July 28th, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Gar (@wraithgar) - Nathan LaFreniere (@nlf) - Alasdair Hurst (@alasdairhurst) - Wes Todd (@wesleytodd) - Jordan Harband (@ljharb) - Rebecca Turner (@iarna) - Isaac Z. Schlueter (@isaacs) - Zbyszek Tenerowicz (@naugtur) - Owen Buckley (@thescientist13) ### Previously... - [2021-07-21](https://github.com/npm/rfcs/blob/latest/meetings/2021-07-21.md) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb 1. **PR**: [#418 RFC: Trust system root CA certificates](https://github.com/npm/rfcs/pull/418) - @deltoura 1. **PR**: [#405 RFC: Resolve packages based on Node.js version](https://github.com/npm/rfcs/pull/405) - @deltoura 1. **PR**: [#397 RFC: Peer dependencies should be able to match a full range of prerelease versions](https://github.com/npm/rfcs/pull/397) - @alasdairhurst 1. **Issue**: [#420 [RRFC] Don't expand tabs by default](https://github.com/npm/rfcs/issues/420) - @diogoeichert 1. **PR:** [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb ### Notes #### **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb - @bnb - No updates since last week - would love help/willing to pair with others - [ ] **Action:** find help to get this over the finish line #### **PR**: [#418 RFC: Trust system root CA certificates](https://github.com/npm/rfcs/pull/418) - @deltoura - @isaacs - reasonable request - Ask is to have `npm` should stack system certificate store + defined - Cureently, `npm` just passes this information off to `node` - [ ] **Action:** needs investigation w/ how this works in core #### **PR**: [#405 RFC: Resolve packages based on Node.js version](https://github.com/npm/rfcs/pull/405) - @shalvah - @bnb - `engines` is used as advisory at the moment - ... - @wesleytodd - the Node PM WG did work in this area with a **supports** spec - potentially `overrides` helps resolve this for end-users - @ljharb - wants some kind of conditional definition for a package maintainer to indicate to a consumer what `version` will work with what `engines` - @isaacs - we kind of already have a heuristic for this (engines does somewhatdictate sort order) - just use overrides(TM) - [ ] **Action:** relay that this isn't something we want to support, provide the alternatives & link back to this discussion - [ ] **Action:** remove the logic to sort based on matching engines & just use #### **PR**: [#397 RFC: Peer dependencies should be able to match a full range of prerelease versions](https://github.com/npm/rfcs/pull/397) - @alasdairhurst - @alasdair idea is to add to the set to include pre-releases - @wraithgar requires changes to `node-semver` - @darcyclarke sounds very similar to [staged publishes](https://github.com/npm/rfcs/pull/92) - @isaacs - two options: - we could provide a flag like `--include-prereleases` (this is a bomb not a swiss army knife, as you'll get prereleases _everywhere_, but that might be fine? since you'd just use it when installing the prerelease-using thing for testing in dev?) - @alasdair don't know if options would resolve the peerdependency problem of requiring a dep that resolved to a prerelease that can't then be updated since - @wesleytodd has used prerelease-specific `dist-tags` for testing & locking into during development - @ljharb sounds like this could be another usecase for `overrides` - [ ] **Action:** @alsdair to provide more usecases #### **Issue**: [#420 [RRFC] Don't expand tabs by default](https://github.com/npm/rfcs/issues/420) - @diogoeichert - @isaacs we can introduce new flags for this - Luke Karrys from the `npm` CLI team is going to open an RFC for `package.json` more robust formatting configs #### **PR:** [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb - @bnb this is an RFC in response of recent anguish felt by `npm audit` users - @isaacs there are other standards being put together we should include - @wesleytodd note: there is an OpenJS Collab Space that exists as it pertains to this problem in the broader node/javascript ecosystem ([vulnerability reporting kick-off presentation](https://www.youtube.com/watch?v=X-0yb1Nfp_I)) - [ ] **Actions:** do a deep-dive on this next week