Skip to content

Latest commit

 

History

History
73 lines (67 loc) · 5.09 KB

2020-10-14.md

File metadata and controls

73 lines (67 loc) · 5.09 KB
Raw

Meeting from: October 14h, 2020

Open RFC Meeting (npm)

Attendees

  • Darcy Clarke (@darcyclarke)
  • Christian Siebmanns (@christian24)
  • Ruy Adorno (@ruyadorno)
  • Isaac Z. Schlueter (@isaacs)
  • Myles Borins (@MylesBorins)
  • Jordan Harband (@ljharb)
  • Wes Todd (@wesleytodd)

Agenda

  1. Housekeeping
    1. Introduction(s)
    2. Code of Conduct Acknowledgement
    3. Outline Intentions & Desired Outcomes
    4. Announcements
  2. PR: #239 describe how npm 7 handles peer conflicts - @isaacs
  3. Issue: #238 [RRFC] Deprecating the npx package from the public registry - @ruyadorno
  4. PR: #235 Allow server generated header values - @doddi
  5. PR: #138 RFC: Add configurable data to HTTP header - @mykyta / @doddi
  6. Issue: #225 [RRFC] Add support to plugin dependencies. - @mshima
  7. PR: #217 RFC: add registry per package per organisation - @baloran
  8. Issue: #155 [RRFC] Deprecated packages: automatically display dependents, to ease notifying maintainers - @dandv

Notes

  • Announcement: released npm v7.0.0! https://blog.npmjs.org/post/631877012766785536/release-v700
    • still work to be done
  • PR: #239 describe how npm 7 handles peer conflicts - @isaacs
    • @isaacs: two weird bugs found that will be fixed in 7.0.1
      • breaks yargs
    • @isaacs: good suggestions in the PR about styling & strictness (may want to land these in v8 or later)
    • Action: @isaacs to merge in RFC to implemented/
    • overrides tangent:
      • @ruyadorno: overrides spec may help w/ peer dep conflicts
      • @isaacs: some hazards w/ conflict resolution w/ overrides especially when we save the dep back to package.json
      • @ruyadorno: want to avoid the arbitrary resolution algo
      • @wesleytodd: sounds like we need to add a warning when you go to npm i x & you've got an overrides value for x
      • @isaacs: could save a very specific override based on the peer dep resolution
      • @ljharb: can warn about changes to your override x@1.0.1 to x@1.0.2
      • @ljharb: this workflow/design may have some overlap with audit resolving
    1. Issue: #238 [RRFC] Deprecating the npx package from the public registry - @ruyadorno
    • @wesleytodd: concern/hazard about the breaking changes/behaivor in the new version which means deprecation would make it harder for users to use the old version or see a noisey deprecation warning
    • @isaacs: npx has bundled npm@5 & vice versa in the past, which is bad/strange
    • @isaacs: npx was mostly a POC without many updates as it's challenging to maintain in both places
    • @wesleytodd: we could just leave it there
    • @isaacs: deprecation seems like the most relevant state since we are no longer maintaining that repository
    • @mylesborins: can npx just shell out to npm exec in a new major version npm@7
    • @ljharb: can deprecate every version but that major for a specific version of time
    • @isaacs: RFCs or patches welcome
    • Action: @darcyclarke to add deprecation warning to the npx package README
    • Action: we'll continue down this path to deprecate for npm@7 "GA" (ie. once we cut it over as latest)

  1. PR: #235 Allow server generated header values - @doddi

  2. PR: #138 RFC: Add configurable data to HTTP header - @mykyta / @doddi

    • Action: add support for header objects in npm config
    • Action: investigate if npm@6 already supports sending headers today

  3. Issue: #225 [RRFC] Add support to plugin dependencies. - @mshima

    • @ljharb: just use npx
    • @wesleytodd: believe there may be a misunderstanding here; Swapping files out shouldn't be breaking anything
    • @ljharb: seems like there's alternative approaches to some of these niche problems that are ending up in requsts to add to/increase the scope of dependencies specs & schema
    • @ruyadorno: seems like another reason why we should update & pull out a programmatic version of npx into something like libnpmexec

  4. PR: #217 RFC: add registry per package per organisation - @baloran

    • @ruyadorno: concerned about this having edges to land in a minor vs. a major (feels like we may have missed the boat)
    • @isaac: shouldn't be that bad
    • @wesleytodd: would always be easier/nicer to ship in a major
    • @darcyclarke: could patch 7.0.1 to throw a warning if we find this config being used
    • @weslesytodd: don't want to block but there is a security/hazard for teams with this
    • @isaacs: may be less hazardous based on the scope they're defining
    • @ljharb: think its best to warn across older versions