Skip to content

Latest commit

 

History

History
126 lines (108 loc) · 5.62 KB

2022-08-03.md

File metadata and controls

126 lines (108 loc) · 5.62 KB
Raw

Meeting from: August 3rd, 2022

Open RFC Meeting (npm)

Attendees

  • Darcy Clarke (@darcyclarke)
  • Nathan Fritz (@fritzy)
  • Ruy Adorno (@ruyadorno)
  • Jordan Harband (@ljharb)
  • Owen Buckley (@thescientist13)
  • Gar (@wraithgar)

Agenda

  1. Housekeeping
    1. Introduction(s)
    2. Code of Conduct Acknowledgement
    3. Outline Intentions & Desired Outcomes
    4. Announcements
  2. Discussion: Auditing SLSA provenance
  3. Issue: #620 [RRFC] npm init add a new question: type => "commonjs/module" - @aladdin-add
  4. Issue: #619 [RRFC] New --ci flag for npm outdated command - @khalyomede
  5. PR: #618 RFC: `npm debug` command - @about-code
  6. Issue: #615 [RRFC] exportable config definitions - @fritzy
  7. Issue: #612 [RRFC] Support --cpu and --os flag to specify platform specific install - @archfz
  8. Issue: #610 [RRFC] Parallel script execution when value is set to an array of text. - @EvanCarroll
  9. PR: #5000 feat: add npm query cmd - @ruyadorno
  10. PR: #595 Propose backwards-compatible improvements to compression - @EvanHahn
  11. PR: #593 Only Registry Dependencies - @thescientist13
  12. PR: #23 Add Singleton Packages RFC. - @usergenic

Need Ratification

Notes

Discussion: Auditing SLSA provenance

  • @ruyadorno
    • @laurent open source security team
    • opportunity to leverge the work at Google/SLSA to leverage this work
  • @laurent
    • do not trust github/other ci builds
    • involved in builders
    • have native builders running on GitHub
    • use reusable workflows
  • @ljharb
    • this work is focused on tieing builds back to packages
    • this seems impossible given all the dependencies build processes will have

Issue: #612 [RRFC] Support --cpu and --os flag to specify platform specific install - @archfz

  • @ljharb
    • trying to determine the usecase
  • @archfz
    • using wine
    • wants to opt-out of the check
    • suggests we wait for more community feedback
  • @ruyadorno
    • this could be tied together with the package distributions RFC
  • @wraithgar
    • if this is only related to the cpu/os checks & being able to avoid them then it's well scoped - if this bleeds into node-gyp config that is likely out of scope of npm

Issue: #620 [RRFC] npm init add a new question: type => "commonjs/module" - @aladdin-add

  • @ljharb
    • buggest problem with type: "module" is that people think they need to change the type to be able to use ESM
    • having this as a question would cause way more confusion
  • @ruyadorno
    • doesn't agree with the sentiment
  • @ljharb
    • .mjs files = ESM & don't have to change anything in pakcage.json
  • @wraithgar
    • questions we ask today in npm init are locked-in
    • future questions are all available by definining a separate install module/config
  • @ljharb
    • would love a future addition/question to init (ex. "are you a package or a project?" ie. are you a maintainer or consumer)
  • @ruyadorno
    • ex. npm pkg to use

PR: #5000 feat: add npm query cmd - @ruyadorno

  • @ruyadorno
    • PR has been merged
    • remove agenda label

Issue: #615 [RRFC] exportable config definitions - @fritzy

  • @wraithgar
    • just need to consolidate configs
  • @darcyclarke
    • migrating to statusboard

Issue: #619 [RRFC] New --ci flag for npm outdated command - @khalyomede

  • @wraithgar
    • this makes a lot of sense
    • should bikeshed the name (the name is confusing for sure)
    • should consolidate the flag for exit code
    • if we change the defaults we still need the flag
  • @ljharb
    • wish the default resukt for all commands respected old shell idioms

PR: #618 RFC: `npm debug` command - @about-code

  • @wraithgar
    • this seems like a new lifecycle script
    • on the bin changes, we'd need to rethink this
    • need more signals between exec & run
  • @ljharb
    • making debugging sounds valubale
    • should be able to just set the environment variable to acheive this
  • @ruyadorno
    • trying to set some default behaivour for this new npm debug command which is not great (start is also confusing for some folks)

Issue: #610 [RRFC] Parallel script execution when value is set to an array of text. - @EvanCarroll

  • ...

PR: #595 Propose backwards-compatible improvements to compression - @EvanHahn

  • ...

PR: #593 Only Registry Dependencies - @thescientist13

  • ...

PR: #23 Add Singleton Packages RFC. - @usergenic

  • ...