Open RFC Meeting (npm)

#### Meeting from: May 5th, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Isaac Z. Schlueter (@isaacs) - Nathan LaFreniere (@nlf) - Tierney Cyren (@bnb) - Daniel Park (@gimli01) - Rick Markins (@rxmables) - Gar (@wraithgar) - LJHarb (@ljharb) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#364 Restore npm 6 ability to install one package](https://github.com/npm/rfcs/pull/364) - @dandv 1. **Issue**: [#363 [RRFC] `.npmignore` pragma to include `.gitignore`](https://github.com/npm/rfcs/issues/363) - @ljharb 1. **PR**: [#343 RFC: npm workspaces: auto switch context based on cwd](https://github.com/npm/rfcs/pull/343) - @ruyadorno 1. **PR**: [#336 RFC for `where` config parameter](https://github.com/npm/rfcs/pull/336) - @nlf 1. **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb 1. **Issue**: [#156 [RRFC] Optional install](https://github.com/npm/rfcs/issues/156) - @gotbahn 1. **PR**: [#375 Define which dependencies are shared among workspace projects](https://github.com/npm/rfcs/pull/375) (draft) - @isaacs 1. **Issue**: [#372 Topic: discuss `npm-audit-resolver` needs](https://github.com/npm/rfcs/issues/372) - @darcyclarke ### Notes #### Announcements: - OpenJS World is coming up! (June) - Package Vulnerability Collab Space Kick-off Pre-Recorded Meeting: https://hackmd.io/hDxqoasBTryAH0DBJbVhOQ #### **PR**: [#364 Restore npm 6 ability to install one package](https://github.com/npm/rfcs/pull/364) - @dandv - @ljharb - was investigating this separately - concerned about this behaivour - @isaacs - always need to rebuild the ideal tree - we should be able to limit the changes to a specific Node soon (changes in `arborist` should fix this) - with a lockfile v6 & v7 work the same today... this would be a change - @darcyclarke is this a major/minor/patch? - @ljharb - sounds like we could make this a patch if we try to make this consistent when you don't have a lockfile - sounds like we should have a config to stabilize this & can flip the default in the next major - [ ] **Action:** @wesleytodd &/or @ljharb to give feedback & potentially add a new RFC for adding a config to allow filtered reification #### **Issue**: [#363 [RRFC] `.npmignore` pragma to include `.gitignore`](https://github.com/npm/rfcs/issues/363) - @ljharb - @ljharb - finds `files` array dangerous - utilizes `.npmignore` has to duplicate/sync w/ `.gitignore` - `.npmignore` to essentially extend `.gitignore` - doesn't want/feel like adding a new field to `package.json` - @darcyclarke publish prompts/checks? - @isaacs `prepublish` script that modifies `files` array in `package.json`? - @wraithgar - is backwards compatibility important? - we could add a flag - @ljharb - I want backwards incompatibility for this net-new feature - it should fail loudly - @isaacs - agrees with additive approach #### **PR**: [#343 RFC: npm workspaces: auto switch context based on cwd](https://github.com/npm/rfcs/pull/343) - @ruyadorno - @isaacs - seems hazardous to imply the relationship by walking up - in favour of the explicit file noting - @wesleytodd - believe having a DX requirement here would be #### **PR**: [#336 RFC for `where` config parameter](https://github.com/npm/rfcs/pull/336) - @nlf - @nlf - `npm config set|get` only changes user-level config OR globally if you pass `--global` - no way to set project-level config - `npm exec` has a similar problem where the order of where it looks/fallsback isn't explicit; If it supported this, you could configure this - @darcyclarke - only thing that seems like we'd want changed is the name of the config - @isaacs - make the config EXPLICIT to the usage - [ ] **Action:** @nlf/@darcyclarke create a poll with options for the name/update RFC #### **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb - @tierney - rewrote RFC to be focused on utilizing licensee #### **Issue**: [#156 [RRFC] Optional install](https://github.com/npm/rfcs/issues/156) - @gotbahn - note: will leave on the agenda for next week #### **PR**: [#375 Define which dependencies are shared among workspace projects](https://github.com/npm/rfcs/pull/375) (draft) - @isaacs - note: will leave on the agenda for next week