- Darcy Clarke (@darcyclarke)
- Gar (@wraithgar)
- Daniel Park (@gimli01)
- Isaac Z. Schlueter (@isaacs)
- Ruy Adorno (@ruyadorno)
- Luke Karrys (@lukekarrys)
- Nathan LaFreniere (@nlf)
- Jordan Harband (@ljharb)
- Housekeeping
- Introduction(s)
- Code of Conduct Acknowledgement
- Outline Intentions & Desired Outcomes
- Announcements
- Clean up of historically ratified RFCs
- Determine what items should be moved to
withdrawn& the corresponding amendment
- Determine what items should be moved to
- Check-in / Progress on Action Items
- Quick updates on &/or additions to tracking work items
- Issue: #398 [RRFC] Top-level command to manage package.json - @ruyadorno
- Issue: #390 [RRFC] npm publish should fail when the files is misconfig in package.json
- PR: #343 RFC: npm workspaces: auto switch context based on cwd - @ruyadorno
- PR: #336 RFC for `where` config parameter - @nlf
- PR: #392 RFC: group outdated packages by dependency type - @thiagodp
- PR: #386 RFC: Add check-installed-peers - @roaders
- PR: #3397 - feat(config): add
in-rangetonpm outdated
- @ruyadorno to turn this into an actual RFC
- @naugtur to make a PR (or issue) against arborist's audit report to indicate direct dependencies in output
- @naugtur to investigate npm explain --json as means to figure out if a vulnerable path is a dev/optional/bundled dependency
- @naugtur to create an issue against the CLI to to show the diff information that Arborist provides (@isaacs: should probably always show if --dry-run)
- @ruyadorno & @bnb to sync & work on initial work / POC
Clean up of historically ratified RFCs
- Determine what items should be moved to
withdrawn& the corresponding amendment - Leaving proposals in the
accepted/folder means it's somehow in our roadmap and the community might expect these to be impelemented at some point, thus removing things we're not likely to prioritize makes more sense than just leaving it all sit there forever. - 0002-changelog
- not likely to implement
- adding a new command to a domain outside that of the npm cli responsability
- 0004-npm-audit-xml-report
- not likely to implement
- @ljharb maybe useful distinction to make "patch welcome"
- @isaacs: we can just put that in the withdraw note
- 0005-update-package-json
- implemented by default in arborist now, seems like?
- needs review to see if it differs from implementation
- 0006-shallow-updates
- implemented by default when doing
npm update <name>, irrelevant when doingnpm update(noargs) because that just rebuilds the tree from scratch ignoring the lockfile. - needs to be reviewed, looks like parts of it were implemented so it might need tweaking/updating
- implemented by default when doing
- 0007-publish-without-tag
- will implement, keep as accepted
- 0008-no-caret-prerelease-installs
- @isaacs: push back, not particularly useful, kind of changes established semantics of semver and how prereleases are handled.
- users can use
save-exactif that's what they wanted
- 0011-npm-link-changes
- That particular implementation no longer exists, links are handled differently by arborist now
- 0012-running-as-root
- needs review to see if it differs from implementation
- looks like it was already updated to use the owner-inference thing
- 0028-publish-prompt
- keep
- 0034-improve-command-suggestions
- implemented
- 0035-registry-spec
- keep
- 0036-overrides
- keep
- 0037-audit-overrides
- keep
- Quick updates on &/or additions to tracking work items
- Nothing to update this week - will keep tracking these for next week
Issue: #398 [RRFC] Top-level command to manage package.json - @ruyadorno
- @ruyadorno
- want to standardize/centralize this process
- implemented
set-scriptbut that was a one-off - something like this makes it easier to manage workspaces
- @isaacs suggested API should match
npm config - @darcyclarke
npm viewworks this way as well - @isaacs what does
npm pkg -w <ws-name> set ...does? - @darcyclarke should def be a supported workflow
- @ljharb could provide great automation workflows for setting fields across multiple packages
- Actiom item: Write an actual RFC
- @ljharb if an item is explicitly included, it makes sense to throw in case it's missing
- @isaacs it's a breaking change if it's an error. should be a warning by default.
- @darcy could opt-in to erroring with a
--files-strictconfig - Action item: Backlog an item to start logging the warning message
- @isaacs: example:
// ok if we ONLY have lib/foo/bar.xyz, but nothing else? lib/{?.js,*,foo/**/*.xyz,baz} - simplest approach would be something like "every pattern in
filesmust match at least one path in the packlist", rather than treating{,}expansion in any special way
PR: #343 RFC: npm workspaces: auto switch context based on cwd - @ruyadorno
- @ruyadorno
- one suggestion, throw a warning would make sense
- options:
- walk up the tree (NOOOOOOO)
- config in workspace or elsewhere
--workspace-root=<path>- could put in
packages/a/.npmrc, but an invitation to footguns, because we don't copy npmrc from workspace root?
- could put in
- config in packages/foo/package.json indicating workspace root (kind of an odd fit)
- link in
packages/foo/node_modules/.npm/workspace-rootto workspace root on first reify - put the
packages/foo/.npmrcfile there withworkspace-rooton first reify - put it in
packages/foo/package-lock.jsoncontaining only theworkspaceRootproperty
- @isaacs: need a decision on intended behavior
- is the setting of workspace-root something that should happen implicitly?
- should it be leaked in published packages?
- only happen on
init? or on any reification?
- Action item: Let's clean up the RFC and go with the nested
.npmrcalternative for now, then we can continue/expand the conversation on this specific solution
PR: #336 RFC for `where` config parameter - @nlf
- recommendation:
--package-locationfornpm exec--config-locationfornpm config- should be enum words, not paths
PR: #392 RFC: group outdated packages by dependency type - @thiagodp
PR: #386 RFC: Add check-installed-peers - @roaders
- ...
- ...