Open RFC Meeting (npm)

#### Meeting from: March 3rd, 2021 # Open RFC Meeting (npm) ### Attendees - Darcy Clarke (@darcyclarke) - Nathan LaFreniere (@nlf) - Gar (@wraithgar) - Isaac Z. Schlueter (@isaacs) - Jordan Harband (@ljharb) - Ruy Adorno (@ruyadorno) - Wes Todd (@wesleytodd) - Pelle Wessman (@voxpelli) - Orta Therox (@orta) ### Agenda 1. **Housekeeping** 1. Introduction(s) 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) 1. Outline Intentions & Desired Outcomes 1. Announcements 1. **PR**: [#332 RFC: Support Yarn style command/script/bin lookups from the CLI with npm prefix](https://github.com/npm/rfcs/pull/332) - @orta 1. **PR**: [#117 RFC: npm workspaces - Working with workspaces](https://github.com/npm/rfcs/pull/117) - @ruyadorno 1. **Issue**: [#325 [RRFC] Run preinstall / postinstall scripts on single package installation](https://github.com/npm/rfcs/issues/325) - @karlhorky 1. **PR**: [#321 feat(no-tag-publish): add proposal for a no-tag publish](https://github.com/npm/rfcs/pull/321) - @wraithgar 1. **PR**: [#319 feat(multiple-dist-tags): add proposal for multiple dist-tags](https://github.com/npm/rfcs/pull/319) - @wraithgar 1. **PR**: [#314 RFC: `registry:` dependency specifiers](https://github.com/npm/rfcs/pull/314) - @isaacs 1. **Issue**: [#313 [RRFC] Add method for getting help on config option](https://github.com/npm/rfcs/issues/313) - @Yash-Singh1 1. **Issue**: [#2610 [BUG] NPM v7 uses SSH instead of an explicit HTTPS for GitHub repos](https://github.com/npm/cli/issues/2610) - @uhop 1. **Discussion**: [#316 Opting out of backwards compatibility of package-lock.json](https://github.com/npm/rfcs/discussions/316) - @valtlai 1. **Discussion**: [#334 Highlight action items in ERESOLVE error msg?](https://github.com/npm/rfcs/discussions/334) - @ruyadorno ### Notes #### **PR**: [#332 RFC: Support Yarn style command/script/bin lookups from the CLI with npm prefix](https://github.com/npm/rfcs/pull/332) - @orta * @ljharb if `npm` implemented this, every new command would be a breaking change (semver:major) * @orta my workflow uses these commands ~40% of the time * @orta yarn has always had this behavrior so the concern is lessend in their case * @wraithgar the ambiguity here scares me * @wesleytodd * @lharb improvements to `npm run-script` that allow it to except/fallback locally installed * @isaacs this is semver major if we make changes around to `run-script` * @darcyclarke we can ship under a flag * @wraigthgar seems like we're still conflating * @darcyclarke we should write the `npr` binary RFC * @isaacs imo, `npx` was a mistake - should have introduced `npm exec` first * @isaacs `npx` behaivour today is confusing * @voxpelli imagine `run test` & a module has defined a binary, this fallback could lead to unintended consequences * @wesleytodd seems like there's an RCE vector here * @orta `yarn` solved this a bit w/ **strict mode** Summary: There are ~4 execution contexts: "scripts", local .bin deps, global deps and "download to tmp to run" - the coverage between them all in commands is spotty - `npm exec`: does local script, global dep and external dep - `npm r`: could that just focus on local exec-y things? e.g. scripts then local deps then fail - `npm exec-local` (new): like `npm exec`, but only for node_module/.bin executables #### **PR**: [#117 RFC: npm workspaces - Working with workspaces](https://github.com/npm/rfcs/pull/117) - @ruyadorno * @ruyadorno * Going back a bit about to the more transparent implementation * ex. `npm install` is *workspace-aware* without being nested (ie. `npm ws install`) * the categorization of each of the commands helped us see how to navigate this work better * core idea is... `workspaces=false` is the default for all commands that aren't currently *workspace-aware* (ie. the `install`-suite of commands) * **Action:** need to finalize command examples * @isaacs * some work to be done to do filtered installs (ie.) * `exec` & `run-script` are the other interesting/challenging commands (more thought required) * @wesleytodd assumption of `npm run` only executing once vs. several times should be accomodated * @isaacs we should make our docs really clear about this * @darcyclarke nice labels in our docs can help (ie. quick/visible indicator of the command's level of workspace support) * @ruyadorno it would be a breaking change to `npm ls` if we made it *workspace-aware* without a flag * @isaacs workspaces are sort of looked at as experiemental already * @wesleytodd although you may look at it that way, user's may not be considering #### **Issue**: [#325 [RRFC] Run preinstall / postinstall scripts on single package installation](https://github.com/npm/rfcs/issues/325) - @karlhorky * @isaacs we need a "install tree has been mutated" lifecycle script, that would solve this without conflatig what preinstall/postinstall are used for. * @darcyclarke let's backlog writing an actual RFC for that * @wesleytodd would like to be able to do this programmatically with `arborist` #### **PR**: [#321 feat(no-tag-publish): add proposal for a no-tag publish](https://github.com/npm/rfcs/pull/321) - @wraithgar * ...