Open RFC Meeting (npm)

#### Meeting from: April 6th, 2022 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Nathan Fritz (@fritzy) - Ruy Adorno (@ruyadorno) - Jordan Harband (@ljharb) - Bogi Wennerstrøm (@boginw) - Owen Buckley (@thescientist13) - Caleb Everett (@everett1992) - Gar (@wraithgar) ### Previously... - [2022-02-23](https://github.com/npm/rfcs/blob/main/meetings/2022-02-23.md) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. Code of Conduct Acknowledgement 1. Outline Intentions & Desired Outcomes 1. Announcements - [**v9 Roadmap**](https://github.com/npm/statusboard/issues/443) #### ℹ️ Updates: 1. **Improving Output:** - **Issue**: [#482 [RRFC] npm should use stderr for errors](https://github.com/npm/rfcs/issues/482) - @exx8 - @lukekarrys wip: streaming log file, progress bar improvements, we can take out of the agenda for now 2. **Respecting returned registry `resolve` fields:** - **PR**: [#486 Resolved registry overrides](https://github.com/npm/rfcs/pull/486) - @everett1992 - **PR**: [#4264 implement options affecting `resolved` value in lock files.](https://github.com/npm/cli/pull/4264) - @everett1992 - @fritzy `replace registry host` can be either `default` (https://registry.npmjs.org), `always` (replacing with `registry` value) or `avoid` replacing at all. ref: https://github.com/npm/pacote/pull/143 - @everett1992 an important feature needed is to skip storing the custom registry value back to the lockfile (interesting usecase with rotating registries) 3. **`npm copy`:** - **PR**: [#493 docs: add npm copy rfc](https://github.com/npm/rfcs/pull/493) - @everett1992 - https://github.com/npm/cli/pull/4082 4. **Package Distributions:** - **PR**: [#519 RFC: Package Distributions](https://github.com/npm/rfcs/pull/519) - @darcyclarke - TBD: Schedule a separate call to discuss the proposal 5. **Shared Version Specifications**: - **PR**: [#528 RFC: Shared Version Specifications](https://github.com/npm/rfcs/pull/528) - @boginw - https://github.com/npm/rfcs/pull/528#issuecomment-1068424777 - @darcyclarke a way to work around this is to use `overrides` to tie various semver ranges declared for a given package in the installed graph to a specific version of a package 6. **Improving Workspaces:** - **Issue**: [#556 [RRFC] improving the workspaces symlinking experience](https://github.com/npm/rfcs/issues/556) - @bnb - @ruyadorno - this has been implemented for `npm version` - can now map the same functionality to other commands (like the example, `npm init`) #### ⭐️ New Items: #### 1. **Issue**: [#4236 BREAKING CHANGE(bin): command should not return non-existent paths](https://github.com/npm/statusboard/issues/479) - @lineus - @ljharb - many people abuse `npm bin` & have put it in their path - should be encouraged to use `npx` - @darcyclarke - this has been added to the `v9` backlog of breaking changes - @wraithgar - should we just deprecate this command? what is the use for it these days? #### 2. **Issue**: [#3806 [FEATURE] run-script with workspaces should short-circuit on script error](https://github.com/npm/cli/issues/3806) - @johndiiorio - @wraithgar - this was discussed previously and was a deliberate decision when we first implemented support to workspaces - @darcyclarke - adding a `--fast-fail` or `--bail` option sounds like a reasonable decision #### 3. **Issue**: [#539 [RRFC] Security: audit lockfiles for injection](https://github.com/npm/rfcs/issues/539) - @fritzy - @fritzy - arguments have been made that if someone can modify files in your repo - @darcyclarke - could shove this check in `npm doctor` #### 4. **PR**: [#547 add "obey user specifier" RFC](https://github.com/npm/rfcs/pull/547) - @ljharb - @ljharb - this came up because of a breakage - `npm install =` resolves to `^` - `npm` has always behaved this way (ie. drops all prefixes & uses the `save-prefix`) - @wraithgar - this is a bug #### 5. **Issue**: [#548 [RRFC] Add flag for running NPM commands in transitive dependencies](https://github.com/npm/rfcs/issues/548) - @zgriesinger - @zgriesinger - currently use lerna for this (topological order for building) - respecting dependencies and running - @darcyclarke - https://turborepo.org/docs/features/pipelines - @ljharb - current tooling do not deviate from the regular dependency graph - @wraithgar - seem weird to have these magic/special relationships when running scripts (ex. `npm test` should not, by default, run the tests of dependants) - @ruyadorno - we've tried this awhile back with `postinstall` scripts for `.reify()` - we can probably fix #### 6. **Issue**: [#549 [RRFC] support different `--before` policy per package prefix/pattern](https://github.com/npm/rfcs/issues/549) - @osher #### 7. **Issue**: [#559 [RRFC] expanding behavior of `--before` to support date adjustment and setting via config](https://github.com/npm/rfcs/issues/559) - @MylesBorins #### 8. **Issue**: [#4558 [BUG] Cannot work on FAT32 USB drive](https://github.com/npm/cli/issues/4558) - @szatanjl #### 9. **PR**: [#564 RFC: Dependency Selector Syntax & `npm query`](https://github.com/npm/rfcs/pull/564) - @darcyclarke #### 10. **PR**: [#566 RFC: Command Specific Configuration](https://github.com/npm/rfcs/pull/566) - @darcyclarke #### 11. **PR**: [#550 RFC: Improve signature verification](https://github.com/npm/rfcs/pull/550) - @feelepxyz #### 12. **Issue**: [#546 [RRFC] Clean up file ownership story](https://github.com/npm/rfcs/issues/546) - @ruyadorno