Open RFC Meeting (npm)

#### Meeting from: January 12th, 2022 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Ruy Adorno (@ruyadorno) - Nathan LaFreniere (@nlf) - Nathan Fritz (@fritzy) - Nish Sinha (@nishnha) - John Caine (@jjcaine) - Owen Buckley (@thescientist13) - Jordan Harband (@ljharb) - Tierney Cyren (@bnb) - Steven (@styfle) ### Previously... - [2021-12-15](https://github.com/npm/rfcs/blob/main/meetings/2021-12-15.md) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements - overrides shipped - 2fa improvements - OpenJS World 2022 - https://events.linuxfoundation.org/openjs-world/ - CFP: https://events.linuxfoundation.org/openjs-world/program/cfp/ 1. **Issue**: [#509 [RRFC] Change the default save-prefix from ^ to none](https://github.com/npm/rfcs/issues/509) - @zkldi 1. **PR**: [#4227 Change the default save-prefix from ^ to none](https://github.com/npm/cli/pull/4227) - @zkldi 1. **PR**: [#4223 fix: npm update --save](https://github.com/npm/cli/pull/4223) - @ruyadorno 1. **PR**: [#4222 Dependabot: `npm audit <fix> --package`](https://github.com/npm/cli/pull/4222) - @Nishnha 1. **Issue**: [#499 [RRFC] Custom logging location](https://github.com/npm/rfcs/issues/499) - @EvanCarroll 1. **Issue**: [#497 [RRFC] Warn users when skipping alias/git deps during audit](https://github.com/npm/rfcs/issues/497) - @rotem-cider 1. **PR**: [#488 Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/488) - @tolmasky 1. **PR**: [#481 RFC: Run `prepare` Scripts for Linked Bundled Dependencies](https://github.com/npm/rfcs/pull/481) - @mysterycommand 1. **PR**: [#375 Define which dependencies are shared among workspace projects](https://github.com/npm/rfcs/pull/375) - @isaacs ### Notes #### **Issue**: [#509 [RRFC] Change the default save-prefix from ^ to none](https://github.com/npm/rfcs/issues/509) - @zkldi #### **PR**: [#4227 Change the default save-prefix from ^ to none](https://github.com/npm/cli/pull/4227) - @zkldi - @darcyclarke - tl;dr we probably won't ever do this... - @ljharb - problem statements are accurate & need to be addressed - known bad actor in your dep tree - solution is not ideal & would cause other issues - there's several misconceptions around `npm install` mixed with what may be bugs in the cli - @thescientist13 - appreciate the balanced - seems like there's a need for better documentation - @ruyadorno - let's make sure we document these problem statements - @bnb - ... - @darcyclarke - package quality indicators - @mylesborins - lockfiles vs. shrinkwrap usecases - - cli vs libraries, what if it makes sense for a package with a bin to have lockfile but not look at that otherwise - maybe just a set of best practices around these with the tooling we have today #### **PR**: [#4223 fix: npm update --save](https://github.com/npm/cli/pull/4223) - @ruyadorno - @darcyclarke - this is one of the most asked for bugs/features that we lost in `npm@7` - @ruyadorno - we have implemented `npm update --save` which should function the same as `npm update` did back in `npm@6` where package specs can be saved back to `package.json` & not just `package-lock.json` - `save` config as a default has always been `true` - `no-save` (aka. `save=false`) is also a flag to be considered as it is used to *not* save back to `package-lock.json` - @fritzy - this may land next week - need consider if this was/is a bug #### **PR**: [#4222 Dependabot: `npm audit <fix> --package`](https://github.com/npm/cli/pull/4222) - @Nishnha - @darcyclarke - Draft PR from the dependabot team that provides a scoped `npm audit` - @Nishnha - hope is to be able to scope `npm audit fix` to a specific package - wip, still need work to support transitive dependencies - @ruyadorno - is the plan to also use overrides to replace transitive deps? - @Nishnha - Yes we want to be able to also replace any vulnerable transitive dep - There's some discrepancies between update and audit we need to look into - @darcyclarke - Stretch goal of providing info of a non-installed package - **Actions:** - [ ] @darcyclarke to identify DRI to work w/ Dependabot team to help #### **Issue**: [#499 [RRFC] Custom logging location](https://github.com/npm/rfcs/issues/499) - @EvanCarroll - @lukekarrys - - **Actions:** - [ ] @darcyclarke to backlog a ticket for adding this config #### **Issue**: [#497 [RRFC] Warn users when skipping alias/git deps during audit](https://github.com/npm/rfcs/issues/497) - @rotem-cider - @ljharb - should properly audit aliases and warn on git deps - basically audit as much things as possible, warn on anything we can not audit - **Actions:** - [ ] @darcyclarke to backlog a ticket for making `npm:` alias' & `overrides` autidble - [ ] @darcyclarke to backlog a ticket for improving output when packages are skipped from the audit process #### **PR**: [#488 Make npm install scripts opt-in](https://github.com/npm/rfcs/pull/488) - @tolmasky - @styfle - sounds like this is great in an ideal world, maybe not for a couple years - prebuilt binaries are one of the main reasons install scripts are necessary, if we could solve these two it would help a lot: - have a way to detect the correct prebuilt binary (musl vs glibc) for current platform - fallback to WASM if prebuilt binary not found for current platform - @darcyclarke - let's bring in more ideas/features that will enable the future in which scripts can be opt-out by default - this will probably not land in a few years, we need time for the ecosystem to adapt - @mylesborins - not convinced that getting rid of scripts is the right call - the fact that the ecosystem is using it for getting right prebuilt binaries is more of a symptom that we need to improve that story #### **PR**: [#481 RFC: Run `prepare` Scripts for Linked Bundled Dependencies](https://github.com/npm/rfcs/pull/481) - @mysterycommand - @darcyclarke - this is probably a bug that will get some eyes very soon as we tackle the backlog #### **PR**: [#375 Define which dependencies are shared among workspace projects](https://github.com/npm/rfcs/pull/375) - @isaacs - @ljharb - willing to help out with this