2022-01-19.md

Meeting from: January 19th, 2022

Open RFC Meeting (npm)

Attendees

• Darcy Clarke (@darcyclarke)
• Ruy Adorno (@ruyadorno)
• Owen Buckley (@thescientist13)
• Nathan Fritz (@fritzy)
• Wes Garland (@wesgarland4)

Previously...

• 2021-12-15

Agenda

1. Housekeeping
   1. Introduction(s)
   2. Code of Conduct Acknowledgement
   3. Outline Intentions & Desired Outcomes
   4. Announcements
      • OpenJS World 2022
        • https://events.linuxfoundation.org/openjs-world/
        • CFP: https://events.linuxfoundation.org/openjs-world/program/cfp/
2. Issue: #511 [RRFC] remove `npm-shrinkwrap.json` from the list of unignorable files - @ljharb

• @ljharb was using shrinkwrap in a specific project and found out that npm-shrinkwrap.json is part of the list of files that can't be ignored
• @ljharb would like for it to be possible to ignore the file in case it's in either .gitignore or .npmignore
• @darcyclarke it is likely that npm-shrinkwrap.json still has some usage in the ecosystem
• @ljharb it would be an opt-in behavior to stop shipping npm-shrinkwrap.json in case it's in an ignore file
• @mylesborins recalls a recent episode in which npm-shrinkwrap.json helped unblock the node core team to handle a broken transitive dependency and being able to rely on it for globally-installed users by shipping that file, just to add that there's still lots of value in that feature
• @darcyclarke would still prefer to ship this in a major version in case some users are inadvertly ignoring something that they would not, trying to stay on the safe side
• @mylesborins would like to bring in the conversation of having some sort of validation prior to publishing a package
• @ljharb would like for any files extraneous to that package to be highlighted at the moment of publishing
• @ruyadorno related approved RFC publish prompt
• Actions:
  • @darcyclarke backlog a ticket to add messaging about diff of files include in a package (comparing .npmignore & .gitignore to files)
  • @darcyclarke backlog a ticket for next major, dropping npm-packlist opt-in of npm-shrinkwrap.json files

1. Discussion: #508 Show which tag will be used in the output of npm publish ~ @fvictorio

• @ruyadorno sounds like a good idea, we should just backlog it
• @ljharb also likes the idea of improving the emails with more relevant info, can be useful to highlight any security threat, in case access gets compromised
• Actions:
  • @darcyclarke take feedback on improved publish email information back to registry team under the assumption its a security improvement
  • @darcyclarke backlog ticket to address this feature work (ie. improve npm publish output)

1. Discussion: #440 Peer dependency groups ~ @Jamesernator

• @darcyclarke
  • seems like this could be supported by a future "package distributions" RFC
• @bradleyfarias
  • node.js recently shipped a change which caused native C modules to not be importable, this could be related
• @ruyadorno
  • sounds a little bit different from the distributions RFC idea in which it means to give a more flexible way for transitive packages to consume alternative packages given that any of the alternatives is provided as a peer dependency
  • it sounds like an interesting idea worth exploring, maybe turn this discussion into an actual RFC?
• Action:
  • @darcyclarke to create RFC for "package distributions" by next week

1. Discussion: #501 npm cli tool should report name similarity problems in --dry-run ~ @msikma

• @ljharb
  • 👍
• Actions:
  • @darcyclarke to circle back with registry team on getting an endpoint for package name validation

1. Discussion: #496 Mention workspace in run-script output header ~ @smhg

• @fritzy
  • should have brackets or some kind of visual indication this output is specific to the workspace name & not being logged from the command/script
• Actions:
  • @darcyclarke to backlog adding this output to --workspace aware commands (ex. run, exec ...)