-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ocs: add meeting notes from 2021-07-28 call
- Loading branch information
1 parent
da73d3f
commit 2a5b2c5
Showing
1 changed file
with
86 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| #### Meeting from: July 28th, 2021 | ||
|
|
||
| # Open RFC Meeting (npm) | ||
|
|
||
| ### Attendees | ||
| - Darcy Clarke (@darcyclarke) | ||
| - Gar (@wraithgar) | ||
| - Nathan LaFreniere (@nlf) | ||
| - Alasdair Hurst (@alasdairhurst) | ||
| - Wes Todd (@wesleytodd) | ||
| - Jordan Harband (@ljharb) | ||
| - Rebecca Turner (@iarna) | ||
| - Isaac Z. Schlueter (@isaacs) | ||
| - Zbyszek Tenerowicz (@naugtur) | ||
| - Owen Buckley (@thescientist13) | ||
|
|
||
| ### Previously... | ||
|
|
||
| - [2021-07-21](https://github.com/npm/rfcs/blob/latest/meetings/2021-07-21.md) | ||
|
|
||
| ### Agenda | ||
|
|
||
| 1. **Housekeeping** | ||
| 1. Introduction(s) | ||
| 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) | ||
| 1. Outline Intentions & Desired Outcomes | ||
| 1. Announcements | ||
| 1. **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb | ||
| 1. **PR**: [#418 RFC: Trust system root CA certificates](https://github.com/npm/rfcs/pull/418) - @deltoura | ||
| 1. **PR**: [#405 RFC: Resolve packages based on Node.js version](https://github.com/npm/rfcs/pull/405) - @deltoura | ||
| 1. **PR**: [#397 RFC: Peer dependencies should be able to match a full range of prerelease versions](https://github.com/npm/rfcs/pull/397) - @alasdairhurst | ||
| 1. **Issue**: [#420 [RRFC] Don't expand tabs by default](https://github.com/npm/rfcs/issues/420) - @diogoeichert | ||
| 1. **PR:** [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb | ||
|
|
||
| ### Notes | ||
|
|
||
| #### **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb | ||
| - @bnb | ||
| - No updates since last week | ||
| - would love help/willing to pair with others | ||
| - [ ] **Action:** find help to get this over the finish line | ||
|
|
||
| #### **PR**: [#418 RFC: Trust system root CA certificates](https://github.com/npm/rfcs/pull/418) - @deltoura | ||
| - @isaacs | ||
| - reasonable request | ||
| - Ask is to have `npm` should stack system certificate store + defined | ||
| - Cureently, `npm` just passes this information off to `node` | ||
| - [ ] **Action:** needs investigation w/ how this works in core | ||
|
|
||
| #### **PR**: [#405 RFC: Resolve packages based on Node.js version](https://github.com/npm/rfcs/pull/405) - @deltoura | ||
| - @bnb | ||
| - `engines` is used as advisory at the moment | ||
| - ... | ||
| - @wesleytodd | ||
| - the Node PM WG did work in this area with a **supports** spec | ||
| - potentially `overrides` helps resolve this for end-users | ||
| - @ljharb | ||
| - wants some kind of conditional definition for a package maintainer to indicate to a consumer what `version` will work with what `engines` | ||
| - @isaacs | ||
| - we kind of already have a heuristic for this (engines does somewhatdictate sort order) | ||
| - just use overrides(TM) | ||
| - [ ] **Action:** relay that this isn't something we want to support, provide the alternatives & link back to this discussion | ||
| - [ ] **Action:** remove the logic to sort based on matching engines & just use | ||
|
|
||
| #### **PR**: [#397 RFC: Peer dependencies should be able to match a full range of prerelease versions](https://github.com/npm/rfcs/pull/397) - @alasdairhurst | ||
| - @alasdair idea is to add to the set to include pre-releases | ||
| - @wraithgar requires changes to `node-semver` | ||
| - @darcyclarke sounds very similar to [staged publishes](https://github.com/npm/rfcs/pull/92) | ||
| - @isaacs | ||
| - two options: | ||
| - 1. we could provide a flag like `--include-prereleases` (this is a bomb not a swiss army knife, as you'll get prereleases _everywhere_, but that might be fine? since you'd just use it when installing the prerelease-using thing for testing in dev?) | ||
| - 2. ... | ||
| - @alasdair don't know if options would resolve the peerdependency problem of requiring a dep that resolved to a prerelease that can't then be updated since | ||
| - @wesleytodd has used prerelease-specific `dist-tags` for testing & locking into during development | ||
| - @ljharb sounds like this could be another usecase for `overrides` | ||
| - [ ] **Action:** @alsdair to provide more usecases | ||
|
|
||
| #### **Issue**: [#420 [RRFC] Don't expand tabs by default](https://github.com/npm/rfcs/issues/420) - @diogoeichert | ||
| - @isaacs we can introduce new flags for this | ||
| - Luke Karrys from the `npm` CLI team is going to open an RFC for `package.json` more robust formatting configs | ||
|
|
||
| #### **PR:** [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb | ||
| - @bnb this is an RFC in response of recent anguish felt by `npm audit` users | ||
| - @isaacs there are other standards being put together we should include | ||
| - @wesleytodd note: there is an OpenJS Collab Space that exists as it pertains to this problem in the broader node/javascript ecosystem ([vulnerability reporting kick-off presentation](https://www.youtube.com/watch?v=X-0yb1Nfp_I)) | ||
| - [ ] **Actions:** do a deep-dive on this next week |