Skip to content

Latest commit

 

History

History
69 lines (57 loc) · 5.74 KB

2021-02-17.md

File metadata and controls

69 lines (57 loc) · 5.74 KB
Raw

Meeting from: February 17th, 2021

Open RFC Meeting (npm)

Attendees

  • Darcy Clarke (@darcyclarke)
  • Gar (@wraithgar)
  • Isaac Z. Schlueter (@isaacs)
  • Nathan LaFreniere (@nlf)
  • Ruy Adorno (@ruyadorno)
  • Jordan Harband (@ljharb)
  • Victor Vlasenko (@larixer)

Agenda

  1. Housekeeping
    1. Introduction(s)
    2. Code of Conduct Acknowledgement
    3. Outline Intentions & Desired Outcomes
    4. Announcements
  2. Issue: #325 [RRFC] Run preinstall / postinstall scripts on single package installation - @karlhorky
  3. Issue: #324 [RRFC] Prefer peerDependencies over regular dependencies, when both specified together - @larixer
  4. Issue: #323 [RRFC] Improve experience and security around npx and scoped packages - @dominykas
  5. Issue: #327 Drop support for installing other-platform optionalDependencies with --force - @isaacs
  6. PR: #321 feat(no-tag-publish): add proposal for a no-tag publish - @wraithgar
  7. PR: #319 feat(multiple-dist-tags): add proposal for multiple dist-tags - @wraithgar
  8. PR: #317 Publish set the tag accordingly to the semver version number - @Divlo
  9. PR: #314 RFC: `registry:` dependency specifiers - @isaacs
  10. Issue: #313 [RRFC] Add method for getting help on config option - @Yash-Singh1
  11. Issue: #2610 [BUG] NPM v7 uses SSH instead of an explicit HTTPS for GitHub repos - @uhop
  12. PR: #117 RFC: npm workspaces - Working with workspaces - @ruyadorno

Notes

Issue: #325 [RRFC] Run preinstall / postinstall scripts on single package installation - @karlhorky

  • @ljharb seems like there's confusion between installing me as a package & running a script when I install something else
  • @isaacs maybe @wraithgar can help here, has been doing work to clean up the documentation around lifecycle scripts
  • @darcyclarke could use hook-scripts potentially to solve for this
  • @isaacs would not use hook-scripts as a good API/tool for this
  • @ruyadorno we need this in the npm CLI
  • @wraithgar will keep this in mind with the work being done to document lifecycle scripts

Issue: #324 [RRFC] Prefer peerDependencies over regular dependencies, when both specified together - @larixer

  • @larixer describes the example of working with a framework (such as next.js) that depends on a package (such as webpack) which also uses a plugin ecosystem (such as webpack loaders) that declares the intermediate (webpack) package as a peer dependency while the top-level app also declares the intermediate package (webpack) as a dependency.
  • @ljharb usually having a flexible peer dependency semver range helps out resolving the dependency tree and avoid duplication
  • @isaacs v7 will try to pick a version of the same peerDependencies if the ranges can be eaisly resolved - conflicting ranges will cause an ERESOLVE error
  • @isaacs it's possible now to have a pkg be in both devDependencies AND dependencies with different declared semver ranges and PROD will always be picked up over dev on npm install
  • @isaacs added the fix for preferring peer over prod
  • @isaacs ACTION: create a bug against Arborist for this
  • @isaacs/victor ACTION: update package.json docs with the logic for preferences when resolving

Issue: #323 [RRFC] Improve experience and security around npx and scoped packages - @dominykas

  • @isaacs npx looks into the local node_modules/.bin directory first
  • @dominykas describes the many scenarios from the RRFC examples
  • @isaacs since npm6 the cli will avoid clobbering bin in the global space but it still allowes that in local node_modules since changing that would be too disruptive to the ecosystem
  • @isaacs looks like we can follow up tracking many these issues offline/async after the call

Issue: #327 Drop support for installing other-platform optionalDependencies with --force - @isaacs

  • @isaacs conceptually the --force option in the cli will often opt-into the "less safe" resolution for a given problem

PR: #321 feat(no-tag-publish): add proposal for a no-tag publish - @wraithgar

  • @wraithgar currently there's no way to publish/upload to registry without a tag, adding it could mean possibly breakages for folks relying on the current behavior, in which publishing with --no-tag would end up publishing to the registry to a "false" tag.
  • @wraithgar another point is that currently the public registry does not support publishing without a tag and will return a 400 error, on the other hand other registry implementations (such as GitHub packages) will work as intended.
  • @isaacs currently the --tag option is only a string, so using that as a boolean (such as --no-tag) will coerce its value to a string.
  • @isaacs maybe the tag option for install and a different option name for publish - essentially they should be two different option names.

PR: #319 feat(multiple-dist-tags): add proposal for multiple dist-tags - @wraithgar

  • @wraithgar commas are actually valid characters in tag names, so we can not use a comma-separated value to declare those