Skip to content

Latest commit

 

History

History
69 lines (59 loc) · 3.34 KB

2022-05-25.md

File metadata and controls

69 lines (59 loc) · 3.34 KB

Meeting from: May 25th, 2022

Open RFC Meeting (npm)

Attendees

  • Darcy Clarke (@darcyclarke)
  • Nathan LaFreniere (@nlf)
  • Jordan Harband (@ljharb)
  • Owen Buckley (@thescientist13)
  • Ruy Adorno (@ruyadorno)

Agenda

  1. Housekeeping
    1. Introduction(s)
    2. Code of Conduct Acknowledgement
    3. Outline Intentions & Desired Outcomes
    4. Announcements
  2. PR: #593 Only Registry Tarballs - @thescientist13
  3. PR: #564 RFC: Dependency Selector Syntax & `npm query` - @darcyclarke
  4. Issue: #575 [FEATURE] run-script with workspaces should short-circuit on script error - @johndiiorio

Notes

PR: #593 Only Registry Tarballs - @thescientist13

  • @thescientist13
    • Bringing in as an RFC the results of the conversations in the original RRFC issue (#581) discussed previously in these meetings
  • @ljharb
    • Thinks it's very important to handle five different modes:
      • silent
      • warn on indirect deps
      • warn on direct deps
      • warn on everything
      • fail on everything
  • @darcyclarke
    • Potential in the future for this to be augmented/have more granular control, once npm query lands
  • @ljharb
    • There's a need for more npm commands to be more granular on what packages they act on
  • @darcyclarke
    • Better to hold on for now on adding any new way to filter/group packages until we have npm query out and see how we can best serve all these scenarios in a more holistic way
    • Stick with 3 modes:
      • warn on any git dep (default)
      • silent (same as today, opt-in)
      • strict / fail on any git dep (opt-in)
  • @ljharb
    • Too strong on transitive dep maintainers to then switch to strict mode by default
    • Avoiding maintainer burnout should always be a priority
  • @darcyclarke
    • There was a research from @naugtur showing that there's less than 1% of usage of git deps within top 10K packages, ref.
    • Sounds like we're blocked on making a decision here until npm query is ready.
  • @ljharb
    • RFC should be worded to include any remote-dep that is not coming from the registry (local linked deps are ok) but remote tarballs should also be included
    • Should relate the RFC to npm audit instead of tie it to npm install then it becomes auditing of dependency types (or similar), then install can one day maybe become configurable to failing if audit (or type audit) fails
  • @thescientist13
    • Will clean the RFC up and incorporate all the feedback

PR: #564 RFC: Dependency Selector Syntax & `npm query` - @darcyclarke

  • @ruyadorno
    • will demo something next week

Issue: #575 [FEATURE] run-script with workspaces should short-circuit on script error - @johndiiorio

  • @darcyclarke
    • discussed this at length in other calls
    • have backlogged work items to address this (ie. fail fast flag & topolgoical workspace ordering)
    • removing from the agenda