#### Meeting from: January 19th, 2022 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Ruy Adorno (@ruyadorno) - Owen Buckley (@thescientist13) - Nathan Fritz (@fritzy) - Wes Garland (@wesgarland4) - Jordan Harband (@ljharb) ### Previously... - [2021-12-15](https://github.com/npm/rfcs/blob/main/meetings/2021-12-15.md) - ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements - OpenJS World 2022 - https://events.linuxfoundation.org/openjs-world/ - CFP: https://events.linuxfoundation.org/openjs-world/program/cfp/ 1. **Issue**: [#511 [RRFC] remove `npm-shrinkwrap.json` from the list of unignorable files](https://github.com/npm/rfcs/issues/511) - @ljharb - @ljharb was using shrinkwrap in a specific project and found out that `npm-shrinkwrap.json` is part of the list of files that can't be ignored - @ljharb would like for it to be possible to ignore the file in case it's in either `.gitignore` or `.npmignore` - @darcyclarke it is likely that `npm-shrinkwrap.json` still has some usage in the ecosystem - @ljharb it would be an opt-in behavior to stop shipping `npm-shrinkwrap.json` in case it's in an ignore file - @mylesborins recalls a recent episode in which `npm-shrinkwrap.json` helped unblock the node core team to handle a broken transitive dependency and being able to rely on it for globally-installed users by shipping that file, just to add that there's still lots of value in that feature - @darcyclarke would still prefer to ship this in a major version in case some users are inadvertly ignoring something that they would not, trying to stay on the safe side - @mylesborins would like to bring in the conversation of having some sort of validation prior to publishing a package - @ljharb would like for any files extraneous to that package to be highlighted at the moment of publishing - @ruyadorno [related approved RFC publish prompt](https://github.com/npm/rfcs/blob/main/accepted/0028-publish-prompt.md) - **Actions:** - [ ] @darcyclarke backlog a ticket to add messaging about diff of files include in a package (comparing `.npmignore` & `.gitignore` to `files`) - [ ] @darcyclarke backlog a ticket for next major, dropping `npm-packlist` opt-in of `npm-shrinkwrap.json` files 1. **Discussion:** [#508 Show which tag will be used in the output of `npm publish`](https://github.com/npm/rfcs/discussions/508) ~ `@fvictorio` - @ruyadorno sounds like a good idea, we should just backlog it - @ljharb also likes the idea of improving the emails with more relevant info, can be useful to highlight any security threat, in case access gets compromised - **Actions:** - [ ] @darcyclarke take feedback on improved publish email information back to registry team under the assumption its a security improvement - [ ] @darcyclarke backlog ticket to address this feature work (ie. improve `npm publish` output) 1. **Discussion:** [#440 Peer dependency groups](https://github.com/npm/rfcs/discussions/440) ~ `@Jamesernator` - @darcyclarke - seems like this could be supported by a future "package distributions" RFC - @bradleyfarias - node.js recently shipped a change which caused native C modules to not be importable, this could be related - @ruyadorno - sounds a little bit different from the distributions RFC idea in which it means to give a more flexible way for transitive packages to consume alternative packages given that any of the alternatives is provided as a peer dependency - it sounds like an interesting idea worth exploring, maybe turn this discussion into an actual RFC? - **Action:** - [ ] @darcyclarke to create RFC for "package distributions" by next week 1. **Discussion:** [#501 npm cli tool should report name similarity problems in --dry-run](https://github.com/npm/rfcs/discussions/501) ~ `@msikma` - @ljharb - :+1: - **Actions:** - [ ] @darcyclarke to circle back with registry team on getting an endpoint for package name validation 1. **Discussion:** [#496 Mention workspace in run-script output header](https://github.com/npm/rfcs/discussions/496) ~ `@smhg` - @fritzy - should have brackets or some kind of visual indication this output is specific to the workspace name & not being logged from the command/script - **Actions:** - [ ] @darcyclarke to backlog adding this output to `--workspace` aware commands (ex. `run`, `exec` ...)