Open RFC Meeting (npm)

#### Meeting from: May 12th, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Gar (@wraithgar) - Isaac Z. Schlueter (@isaacs) - Rick Markins (@rxmarbles) - Ruy Adorno (@ruyadorno) - Jordan Harband (@ljharb) - Tierney Cyren (@bnb) ### Agenda - **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#375 Define which dependencies are shared among workspace projects](https://github.com/npm/rfcs/pull/375) - @isaacs 1. **Issue**: [#372 Topic: discuss `npm-audit-resolver` needs](https://github.com/npm/rfcs/issues/372) - @darcyclarke 1. **PR**: [#364 Restore npm 6 ability to install one package](https://github.com/npm/rfcs/pull/364) - @dandv 1. **Issue**: [#363 [RRFC] `.npmignore` pragma to include `.gitignore`](https://github.com/npm/rfcs/issues/363) - @ljharb 1. **PR**: [#343 RFC: npm workspaces: auto switch context based on cwd](https://github.com/npm/rfcs/pull/343) - @ruyadorno 1. **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb 1. **PR**: [#336 RFC for `where` config parameter](https://github.com/npm/rfcs/pull/336) - @nlf 1. **Issue**: [#156 [RRFC] Optional install](https://github.com/npm/rfcs/issues/156) - @gotbahn ### Notes: #### 1. **PR**: [#375 Define which dependencies are shared among workspace projects](https://github.com/npm/rfcs/pull/375) - @isaacs - Will be merged with Vincent's "Pure Mode" proposal and refactored into three RFCs 1. What gets shared, and what gets isolated, by default? 2. A proposal for specifying what is isolated and what is shared, via config and/or package.json syntax 3. A spec for the shape of the isolated-dep store, what symlinks where, etc. - @ljharb - by hoisting everything to root, sharing deps has been conflated w/ root's node modules #### 2. **Issue**: [#372 Topic: discuss `npm-audit-resolver` needs](https://github.com/npm/rfcs/issues/372) - @darcyclarke - @darcyclarke - removing this from agenda - have moved some of these discussions to a new collab space - @wesleytodd - just starting to engage security researchers/maintainers #### 3. **PR**: [#364 Restore npm 6 ability to install one package](https://github.com/npm/rfcs/pull/364) - @dandv - @isaacs - has to be opt-in/explicit (ex. ) - @wraithgar - does `--no-package-lock` resolve this? - @ljharb - `install foo` should only install one thing & if it does more then "its a bug" - @wesleytodd - the pruning is a bug - in strong favor of heavily documenting the behaviour - **Action:** [ ] respond w/ option to introduce new config/flag that will allow for this explicit behaivour (ex. `--only`) #### 4. **Issue**: [#363 [RRFC] `.npmignore` pragma to include `.gitignore`](https://github.com/npm/rfcs/issues/363) - @ljharb - **Action:** [ ] spike on the implementation / @ljharb #### 5. **PR**: [#343 RFC: npm workspaces: auto switch context based on cwd](https://github.com/npm/rfcs/pull/343) - @ruyadorno - @ruyadorno - ... - @isaacs - We could do this if we loosen the "no touching workspace" constraint. - Put a file at `packages/foo/.workspace-root` containing `../..`, and now running `npm install` in that folder is transmuted into `npm install --prefix=../.. --workspace=foo`. That's doable. - Implicitly walking all the way up to `/` looking for package.json is not great. - @darcyclarke - ... - **Action:** [ ] @ruyadorno will add alternatives to the RFC #### 6. **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb - @bnb - has updated the RFC - looking for reviews/feedback - **Action:** [ ] @bnb to update RFC based on feedback #### 7. **PR**: [#336 RFC for `where` config parameter](https://github.com/npm/rfcs/pull/336) - @nlf - ... #### 8. **Issue**: [#156 [RRFC] Optional install](https://github.com/npm/rfcs/issues/156) - @gotbahn - ...