- Darcy Clarke (@darcyclarke)
- Christian Siebmanns (@christian24)
- Ruy Adorno (@ruyadorno)
- Isaac Z. Schlueter (@isaacs)
- Myles Borins (@MylesBorins)
- Jordan Harband (@ljharb)
- Wes Todd (@wesleytodd)
- Housekeeping
- Introduction(s)
- Code of Conduct Acknowledgement
- Outline Intentions & Desired Outcomes
- Announcements
- PR: #239 describe how npm 7 handles peer conflicts - @isaacs
- Issue: #238 [RRFC] Deprecating the npx package from the public registry - @ruyadorno
- PR: #235 Allow server generated header values - @doddi
- PR: #138 RFC: Add configurable data to HTTP header - @mykyta / @doddi
- Issue: #225 [RRFC] Add support to plugin dependencies. - @mshima
- PR: #217 RFC: add registry per package per organisation - @baloran
- Issue: #155 [RRFC] Deprecated packages: automatically display dependents, to ease notifying maintainers - @dandv
- Announcement: released npm v7.0.0! https://blog.npmjs.org/post/631877012766785536/release-v700
- still work to be done
- PR: #239 describe how npm 7 handles peer conflicts - @isaacs
- @isaacs: two weird bugs found that will be fixed in
7.0.1
- breaks yargs
- @isaacs: good suggestions in the PR about styling & strictness (may want to land these in v8 or later)
- Action: @isaacs to merge in RFC to
implemented/
- overrides tangent:
- @ruyadorno: overrides spec may help w/ peer dep conflicts
- @isaacs: some hazards w/ conflict resolution w/ overrides especially when we save the dep back to
package.json
- @ruyadorno: want to avoid the arbitrary resolution algo
- @wesleytodd: sounds like we need to add a warning when you go to
npm i x
& you've got anoverrides
value forx
- @isaacs: could save a very specific override based on the peer dep resolution
- @ljharb: can warn about changes to your override
x@1.0.1
tox@1.0.2
- @ljharb: this workflow/design may have some overlap with audit resolving
- @isaacs: two weird bugs found that will be fixed in
-
- Issue: #238 [RRFC] Deprecating the npx package from the public registry - @ruyadorno
- @wesleytodd: concern/hazard about the breaking changes/behaivor in the new version which means deprecation would make it harder for users to use the old version or see a noisey deprecation warning
- @isaacs:
npx
has bundled npm@5 & vice versa in the past, which is bad/strange - @isaacs:
npx
was mostly a POC without many updates as it's challenging to maintain in both places - @wesleytodd: we could just leave it there
- @isaacs: deprecation seems like the most relevant state since we are no longer maintaining that repository
- @mylesborins: can
npx
just shell out tonpm exec
in a new major versionnpm@7
- @ljharb: can deprecate every version but that major for a specific version of time
- @isaacs: RFCs or patches welcome
- Action: @darcyclarke to add deprecation warning to the npx package README
- Action: we'll continue down this path to deprecate for npm@7 "GA" (ie. once we cut it over as
latest
)
-
PR: #235 Allow server generated header values - @doddi
-
PR: #138 RFC: Add configurable data to HTTP header - @mykyta / @doddi
- Action: add support for header objects in
npm config
- Action: investigate if npm@6 already supports sending
headers
today
- Action: add support for header objects in
-
Issue: #225 [RRFC] Add support to plugin dependencies. - @mshima
- @ljharb: just use
npx
- @wesleytodd: believe there may be a misunderstanding here; Swapping files out shouldn't be breaking anything
- @ljharb: seems like there's alternative approaches to some of these niche problems that are ending up in requsts to add to/increase the scope of
dependencies
specs & schema - @ruyadorno: seems like another reason why we should update & pull out a programmatic version of
npx
into something likelibnpmexec
- @ljharb: just use
-
PR: #217 RFC: add registry per package per organisation - @baloran
- @ruyadorno: concerned about this having edges to land in a minor vs. a major (feels like we may have missed the boat)
- @isaac: shouldn't be that bad
- @wesleytodd: would always be easier/nicer to ship in a major
- @darcyclarke: could patch
7.0.1
to throw a warning if we find this config being used - @weslesytodd: don't want to block but there is a security/hazard for teams with this
- @isaacs: may be less hazardous based on the scope they're defining
- @ljharb: think its best to warn across older versions