- Darcy Clarke (@darcyclarke)
- Gar (@wraithgar)
- Isaac Z. Schlueter (@isaacs)
- Nathan LaFreniere (@nlf)
- Ruy Adorno (@ruyadorno)
- Jordan Harband (@ljharb)
- Victor Vlasenko (@larixer)
- Housekeeping
- Introduction(s)
- Code of Conduct Acknowledgement
- Outline Intentions & Desired Outcomes
- Announcements
- Issue: #325 [RRFC] Run preinstall / postinstall scripts on single package installation - @karlhorky
- Issue: #324 [RRFC] Prefer peerDependencies over regular dependencies, when both specified together - @larixer
- Issue: #323 [RRFC] Improve experience and security around npx and scoped packages - @dominykas
- Issue: #327 Drop support for installing other-platform optionalDependencies with --force - @isaacs
- PR: #321 feat(no-tag-publish): add proposal for a no-tag publish - @wraithgar
- PR: #319 feat(multiple-dist-tags): add proposal for multiple dist-tags - @wraithgar
- PR: #317 Publish set the tag accordingly to the semver version number - @Divlo
- PR: #314 RFC: `registry:` dependency specifiers - @isaacs
- Issue: #313 [RRFC] Add method for getting help on config option - @Yash-Singh1
- Issue: #2610 [BUG] NPM v7 uses SSH instead of an explicit HTTPS for GitHub repos - @uhop
- PR: #117 RFC: npm workspaces - Working with workspaces - @ruyadorno
Issue: #325 [RRFC] Run preinstall / postinstall scripts on single package installation - @karlhorky
- @ljharb seems like there's confusion between installing me as a package & running a script when I install something else
- @isaacs maybe @wraithgar can help here, has been doing work to clean up the documentation around lifecycle scripts
- @darcyclarke could use hook-scripts potentially to solve for this
- @isaacs would not use hook-scripts as a good API/tool for this
- @ruyadorno we need this in the
npm
CLI - @wraithgar will keep this in mind with the work being done to document lifecycle scripts
Issue: #324 [RRFC] Prefer peerDependencies over regular dependencies, when both specified together - @larixer
- @larixer describes the example of working with a framework (such as next.js) that depends on a package (such as webpack) which also uses a plugin ecosystem (such as webpack loaders) that declares the intermediate (webpack) package as a peer dependency while the top-level app also declares the intermediate package (webpack) as a dependency.
- @ljharb usually having a flexible peer dependency semver range helps out resolving the dependency tree and avoid duplication
- @isaacs v7 will try to pick a version of the same peerDependencies if the ranges can be eaisly resolved - conflicting ranges will cause an ERESOLVE error
- @isaacs it's possible now to have a pkg be in both devDependencies AND dependencies with different declared semver ranges and PROD will always be picked up over dev on
npm install
- @isaacs added the fix for preferring peer over prod
- @isaacs ACTION: create a bug against Arborist for this
- @isaacs/victor ACTION: update package.json docs with the logic for preferences when resolving
Issue: #323 [RRFC] Improve experience and security around npx and scoped packages - @dominykas
- @isaacs
npx
looks into the localnode_modules/.bin
directory first - @dominykas describes the many scenarios from the RRFC examples
- @isaacs since npm6 the cli will avoid clobbering bin in the global space but it still allowes that in local node_modules since changing that would be too disruptive to the ecosystem
- @isaacs looks like we can follow up tracking many these issues offline/async after the call
- @isaacs conceptually the
--force
option in the cli will often opt-into the "less safe" resolution for a given problem
PR: #321 feat(no-tag-publish): add proposal for a no-tag publish - @wraithgar
- @wraithgar currently there's no way to publish/upload to registry without a tag, adding it could mean possibly breakages for folks relying on the current behavior, in which publishing with
--no-tag
would end up publishing to the registry to a"false"
tag. - @wraithgar another point is that currently the public registry does not support publishing without a tag and will return a
400
error, on the other hand other registry implementations (such as GitHub packages) will work as intended. - @isaacs currently the
--tag
option is only a string, so using that as a boolean (such as--no-tag
) will coerce its value to a string. - @isaacs maybe the
tag
option for install and a different option name for publish - essentially they should be two different option names.
PR: #319 feat(multiple-dist-tags): add proposal for multiple dist-tags - @wraithgar
- @wraithgar commas are actually valid characters in tag names, so we can not use a comma-separated value to declare those