-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Add configurable data to HTTP header #138
base: main
Are you sure you want to change the base?
Conversation
accepted/0027-add-app-id-env.md
Outdated
meta.app_id = process.env.APP_ID | ||
``` | ||
|
||
## Prior Art |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’ve never heard of this env var being used in the ecosystem. Can you elaborate on how and where it’s already used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This value is used in the third-part app Nexus Repository Manager which integrated with npm
Currently to add APP_ID is pretty difficult: use application id in package-lock.json
It would be great just to add some npm env var for an npm project and use this value as APP_ID per npm audit
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some questions. Is Can we put it in package.json instead of package-lock.json, since package-lock.json is more ephemeral? (Users sometimes blow the package-lock away to get a fresh install. Maybe they'll do that less in npm v7, but who knows, habits die hard.) Does it need to be (a) unique to each project, (b) unique to each top level project (but shared among workspaces in a monorepo, for example), (c) shared among each package in a user-defined concept of what an "app" is? Can we spell it I think it'd be a nice simple thing for a registry to provide a And if the user does send an This would also allow us to do other interesting things in the future, too, especially if an app could be associated with an org or user, and different types of access attached to that indicator. Since it's user-input, we couldn't trust it on its own, but in combination with a login token, we could say that a given appid associated with your organization can only be installed in your production IP block by certain user accounts, so you don't accidentally push to production when you thought you were doing a staging/local build, or something. |
Hi, @isaacs here my answers:
(a) - It may be unique to each project. Yes, we can use 'appid' instead of We can also provide
User should set I agree it would be nice to implement it as much as useful for CLI tool and provide more flexibility for npm users. |
That isn't really relevant. We modify the lockfile data that we send anyway, and have the package.json data readily at hand at that time, so it can reside in either place. I feel like "what app is this" is more appropriate for Also, we're not likely to add a feature like this in npm v6, and we're considering a much more streamlined API for fetching bulk advisories in npm v7 anyway. So, sky's the limit :) |
@isaacs yes, I agree that |
APP_ID
environment variablenpm-app-id
HTTP header
@isaacs I've updated RFC. Can someone approve these changes to start working under the implementation? |
I have no objection to the basic idea, but it does need some work to get over the finish line. (Your continued engagement is encouraged and welcome, but not required, if you have other things to do :) The next step is to discuss it in our weekly Open RFC meeting (which you're invited to attend!) to quickly discuss some of the ramifications of the change, decide next steps, and eventually fit it into our roadmap. I would like to drive towards some more clarity around implementation, alternatives, and prior art, just to have some confidence that we're making the right choices and not opening the door to supporting a mistake forever. Since this is going to be an interface between the client and server, it's important to get the spec as detailed as possible. The implementation itself (as proposed, anyway) is relatively straightforward, and I don't expect it'll have much impact for other parts of the system, so it should be pretty easy to get landed once we nail down the spec. |
Summary from the OpenRFC Meeting:
The first idea is very simple to implement and have no risk for npm-registry/npm-tool. @isaacs From my perspective of view, it is not clear how to add such a hook mechanism to the npm tool. Also not clear how a user will add such metadata info: from the npm console or npm config file. |
@jlstephens89 You can also watch the full discussion, if you wanna feel like you were there :) https://www.youtube.com/watch?v=W6XbJ5e3xrA |
Hi @isaacs I've created the short Demo https://youtu.be/aMFbEYgmnEk what I expect to get from this feature and how a user can set up/configure their project. We can discuss it more in the upcoming Meeting. Several remarks here:
|
If we can get suggestions on how to make this more generic and benefit the wider npm community (not just those that use NXRM), then I'd be happy to make it a priority and carve out some time for my team work on it. |
Guys, who can help to find the best approach of implementing custom user metadata into the npm registry. Like I wrote above - the best way is:
So the main issue/question of how to regex |
I would like to see if the PR (npm/cli#1674) I have put together satisfies the discussion held during the rfc meeting. Is there an agenda to (re)discuss rfc's? I would be happy to attend |
Updated to reflect latest rfc meeting
I have updated the RFC as discussed at the last meeting. Is this at a point where it can be re-reviewed / merged? |
Its possibly a bit late but could this be added to the agenda (9th September)? Or how can I go about taking this discussion further again? /cc @isaacs |
Other options to explore, discussed in 2020-09-16 RFC call: {
"headers": {
"app-id": "call it headers instead of metadata"
}
} {
"appId": "top-level field"
} ; project-level .npmrc
headers[]="npm-app-id: a config value"
headers[]="Authorization: custom-thing whatever idk" |
Leaning towards "add headers list to config", and then we can later add an RFC to put a |
npm-app-id
HTTP header
@isaacs I started to take a look at the implementation of this RFC to get ahead of the game and I found out that the npmrc already caters for additional header info. It is not as elegant is this proposal but it does suggest that there might be a backwards compatibility problem if this RFC is introduced. https://github.com/npm/cli/blob/5587ac01ffd0d2ea830a6bbb67bb34a611ffc409/node_modules/npm-registry-fetch/config.js#L23 has an entry for headers. I tested by creating something like the following in a local .npmrc file:
note that this is identical to the proposal. What is sent across the wire is: So, although not ideal, this is something I can actually work with. Additionally, 'fixing' it so that it is a correct key/pair sent across the wire my break anyone already using this capability. This was tested on the latest version 6. I did not check version 7 |
Ohhhhh ok. I wonder if we can do something like this then? [headers]
some-key = some value I'll look more closely into it soon. |
So this is weird? Seems like we drop the first one for some reason. |
This comment has been minimized.
This comment has been minimized.
Ahhhhh, the problem is that I had a trailing space, which the Yes, this works as expected, as far as I can tell. |
I am happy to close if this same functionality is transferred over to v7. That would be ideal because we are already making use of this feature. However, I think @isaacs expressed some concern that this was not intentional behaviour. |
This Is this still being worked on?
|
It seems like npm 9 will be dropping support for global configs entirely for e.g. So maybe there should be no global
The last rfc meeting was in August - was that because there had been nothing to discuss, or another reason? https://github.com/npm/rfcs/issues?q=is%3Aissue+sort%3Aupdated-desc+is%3Aclosed+label%3Ameeting (I'm unfamiliar with the rfc process and didn't see anything about it in the last meeting notes) |
What / Why
A proposition to add
npm-app-id
to the HTTP header of npm tool.