From 2a5b2c58fdcddcdda78b80d35f6e4c1e21804784 Mon Sep 17 00:00:00 2001 From: Darcy Clarke Date: Wed, 28 Jul 2021 15:06:17 -0400 Subject: [PATCH] ocs: add meeting notes from 2021-07-28 call --- meetings/2021-07-28.md | 86 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 meetings/2021-07-28.md diff --git a/meetings/2021-07-28.md b/meetings/2021-07-28.md new file mode 100644 index 000000000..bedeff089 --- /dev/null +++ b/meetings/2021-07-28.md @@ -0,0 +1,86 @@ +#### Meeting from: July 28th, 2021 + +# Open RFC Meeting (npm) + +### Attendees +- Darcy Clarke (@darcyclarke) +- Gar (@wraithgar) +- Nathan LaFreniere (@nlf) +- Alasdair Hurst (@alasdairhurst) +- Wes Todd (@wesleytodd) +- Jordan Harband (@ljharb) +- Rebecca Turner (@iarna) +- Isaac Z. Schlueter (@isaacs) +- Zbyszek Tenerowicz (@naugtur) +- Owen Buckley (@thescientist13) + +### Previously... + +- [2021-07-21](https://github.com/npm/rfcs/blob/latest/meetings/2021-07-21.md) + +### Agenda + +1. **Housekeeping** + 1. Introduction(s) + 1. [Code of Conduct Acknowledgement](https://www.npmjs.com/policies/conduct) + 1. Outline Intentions & Desired Outcomes + 1. Announcements +1. **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb +1. **PR**: [#418 RFC: Trust system root CA certificates](https://github.com/npm/rfcs/pull/418) - @deltoura +1. **PR**: [#405 RFC: Resolve packages based on Node.js version](https://github.com/npm/rfcs/pull/405) - @deltoura +1. **PR**: [#397 RFC: Peer dependencies should be able to match a full range of prerelease versions](https://github.com/npm/rfcs/pull/397) - @alasdairhurst +1. **Issue**: [#420 [RRFC] Don't expand tabs by default](https://github.com/npm/rfcs/issues/420) - @diogoeichert +1. **PR:** [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb + +### Notes + +#### **PR**: [#182 RFC: npm audit licenses](https://github.com/npm/rfcs/pull/182) - @bnb +- @bnb + - No updates since last week + - would love help/willing to pair with others + - [ ] **Action:** find help to get this over the finish line + +#### **PR**: [#418 RFC: Trust system root CA certificates](https://github.com/npm/rfcs/pull/418) - @deltoura +- @isaacs + - reasonable request + - Ask is to have `npm` should stack system certificate store + defined + - Cureently, `npm` just passes this information off to `node` + - [ ] **Action:** needs investigation w/ how this works in core + +#### **PR**: [#405 RFC: Resolve packages based on Node.js version](https://github.com/npm/rfcs/pull/405) - @deltoura +- @bnb + - `engines` is used as advisory at the moment + - ... +- @wesleytodd + - the Node PM WG did work in this area with a **supports** spec + - potentially `overrides` helps resolve this for end-users +- @ljharb + - wants some kind of conditional definition for a package maintainer to indicate to a consumer what `version` will work with what `engines` +- @isaacs + - we kind of already have a heuristic for this (engines does somewhatdictate sort order) + - just use overrides(TM) +- [ ] **Action:** relay that this isn't something we want to support, provide the alternatives & link back to this discussion +- [ ] **Action:** remove the logic to sort based on matching engines & just use + +#### **PR**: [#397 RFC: Peer dependencies should be able to match a full range of prerelease versions](https://github.com/npm/rfcs/pull/397) - @alasdairhurst +- @alasdair idea is to add to the set to include pre-releases +- @wraithgar requires changes to `node-semver` +- @darcyclarke sounds very similar to [staged publishes](https://github.com/npm/rfcs/pull/92) +- @isaacs + - two options: + - 1. we could provide a flag like `--include-prereleases` (this is a bomb not a swiss army knife, as you'll get prereleases _everywhere_, but that might be fine? since you'd just use it when installing the prerelease-using thing for testing in dev?) + - 2. ... +- @alasdair don't know if options would resolve the peerdependency problem of requiring a dep that resolved to a prerelease that can't then be updated since +- @wesleytodd has used prerelease-specific `dist-tags` for testing & locking into during development +- @ljharb sounds like this could be another usecase for `overrides` +- [ ] **Action:** @alsdair to provide more usecases + +#### **Issue**: [#420 [RRFC] Don't expand tabs by default](https://github.com/npm/rfcs/issues/420) - @diogoeichert +- @isaacs we can introduce new flags for this +- Luke Karrys from the `npm` CLI team is going to open an RFC for `package.json` more robust formatting configs + +#### **PR:** [#422 RFC: audit assertions](https://github.com/npm/rfcs/pull/422) - @bnb +- @bnb this is an RFC in response of recent anguish felt by `npm audit` users +- @isaacs there are other standards being put together we should include +- @wesleytodd note: there is an OpenJS Collab Space that exists as it pertains to this problem in the broader node/javascript ecosystem ([vulnerability reporting kick-off presentation](https://www.youtube.com/watch?v=X-0yb1Nfp_I)) +- [ ] **Actions:** do a deep-dive on this next week