Support file #220
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,216 @@ | ||
| # Baseline practice - Document support levels | ||
|
|
||
| Package maintainers provide different level of support in the large npm ecosystem. | ||
| A mismatch between the support a maintainer is planning to | ||
| provide and that expected by a consumer of a module will cause | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| friction and stress on both the package maintainer and | ||
| the consumer. This is further complicated because the level of support | ||
| provided for dependencies of a package may be different than that | ||
| targeted by the package a consumer is directly consuming. | ||
|
|
||
| This baseline practice suggests a standardized set of information to | ||
| quantify the level of support that a package maintainer wishes/is able to | ||
| provide. The goal is to close the gap between the expectations from the | ||
| consumer and those of the maintainer and reduce the friction and stress | ||
| that can arise due to the gap. | ||
|
|
||
| There are 4 main dimensions that we standardize in this practice which are: | ||
|
|
||
| * `target`: the level of support that the package maintainer aims to provide | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| * `response`: how quickly the maintainer chooses to, or is able to, respond to issues | ||
| * `response-paid`: how quickly the maintainer will respond to issues if paid | ||
| * `backing`: how the project is supported | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| In addition a `url` field can optionally be provided with a link to more detailed | ||
| support information. | ||
|
|
||
| For each of these dimensions the potential options are not an ordered list. | ||
| Instead like licenses each ID will identify a unique option. If you wish to | ||
| identify your package with an option which is not yet listed, please PR your | ||
| option into the lists in the sections which follow. | ||
| The values can be any string, those which are not documented in the lists within | ||
| this document considered "custom" and may ignored for flagged by any tooling that | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| consumes these elements. | ||
|
|
||
| ## Support file | ||
|
|
||
| The support informations are stored in a `support.json` file | ||
| The recommended baseline practice is to include a file named `support.json` in the root direcotry of the project. | ||
|
|
||
| This file documents the maintainers expectations adding more useful metadata. | ||
|
|
||
| The file expects this example structure: | ||
|
|
||
| A `support` field with a `versions` key. | ||
| `versions` is an array of JSON that contains all the useful information detailed below. | ||
|
|
||
| ```json | ||
| { | ||
| "support": { | ||
| "versions": [ | ||
| { | ||
| "version": "<=1", | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "target": "abandoned", | ||
| "response": "none", | ||
| "response-paid": "regular-1", | ||
| "backing": [ | ||
| "paid-support", | ||
| "sponsored" | ||
| ], | ||
| "expires": "2019-08-01T20:47:27.840Z", | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "contact": { | ||
| "url": "http://support.it/issue", | ||
| "security": "mailto:security@nodejs.com", | ||
| "paid-channel": "mailto:iwantmoney@nodejs.com" | ||
| }, | ||
| "funding": { | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "open-collective": "", | ||
| "btc": "" | ||
| } | ||
| }, | ||
| { | ||
| "version": ">=2.0.0", | ||
| "target": "lts", | ||
| "response": "regular-7", | ||
| "response-paid": "regular-1", | ||
| "backing": "hobby", | ||
| "expires": "2021-08-01T20:47:27.840Z", | ||
| "contact": { | ||
| "url": "http://support.it/issue", | ||
| "security": "mailto:security@nodejs.com", | ||
| "paid-channel": "mailto:iwantmoney@nodejs.com" | ||
| }, | ||
| "funding": { | ||
| "open-collective": "", | ||
| "btc": "" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| The default for packages created by individuals for their own use should most often be: | ||
|
|
||
| ```json | ||
| { | ||
| "support": { | ||
| "versions": [ | ||
| { | ||
| "version": "*", | ||
| "target": "lts", | ||
| "response": "best-effort", | ||
| "backing": [ | ||
| "hobby", | ||
| "sponsored" | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ], | ||
| "expires": "2019-08-01T20:47:27.840Z", | ||
| "contact": { | ||
| "url": "https://github.com/nodejs/package-maintenance/issues", | ||
| "security": "mailto:security@nodejs.com" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| This reflects that the maintainer in this case may have no interest in ensuring that the package works | ||
| outside of their use case. | ||
|
|
||
|
|
||
| ## Support `version` | ||
|
|
||
| The support version accepts a [semver range](https://semver.io/) value that define the versions of the | ||
| module that applies that configuration. | ||
|
|
||
|
|
||
| ## Support `target` | ||
|
|
||
| The support target captures the level of support that the package maintainer | ||
|
There was a problem hiding this comment. Perhaps this should instead be an object that works like “engines” - that way versions of node, npm, browsers, etc, could all be specified, using these values or semver ranges There was a problem hiding this comment. Likely you are suggesting there was discussion elsewhere (last PM meeting I think) that it should be an object with the example being target: { node: xxxx } and other domains could use something other than I'm also think we should allow specific versions and SemVer ranges in order to cover all situations. The guidance would suggest that one of the standard one's is best but that would give the flexibility to express other specific case as well. For example it supports Node.js 10.x only. There was a problem hiding this comment. Not saying it should not support the semver range, but I think this field should clarify the intent of the author, i.e. if it's a semver range, then it says "I only support node 10, and when node 12 comes out - ????", whereas a policy keyword says "I currently support node 10, and when node 12 becomes LTS - I will support that too". There was a problem hiding this comment. Perhaps it should be an array then, where each item is either a keyword or a semver range? There was a problem hiding this comment.
I think in this case the value of the field should be There was a problem hiding this comment. All of my packages would likely indicate There was a problem hiding this comment. @dominykas I was thinking that the sermver range would allow package maintainers to cover cases where the policy keyword does not cover it. Ideally/recommended would be to use one of the approaches covered by a defined policy keyword. |
||
| aims to provide. The standardized options are as follows: | ||
|
|
||
| | Value | Description | | ||
| |-------|-------------| | ||
| | `abandoned` | Not recommended for use. The package is deprecated or no longer maintained. | ||
| | `none` | Use at your own risk, no active support. May or may not work for a given Node.js version. | ||
| | `latest` | The package is maintained only for the Latest Node.js versions. You will be required to update to the latest LTS Node.js version in order to ensure you can use new versions/get security fixes. | ||
| | `lts` | The package is maintained for the Node.js LTS releases (both in Active and Maintenence mode). Anyone creating an application using an LTS version of Node.js and using the latest major version of LTS adopting modules will not have to accept semver-major level (ie. breaking) changes into that application in order to receive essential fixes. Full details are available [here](https://github.com/nodejs/package-maintenance/issues/119) (should we bring this into the package-maintenance repo?) | ||
| | `superset` | The package is maintained for versions of Node.js including both LTS and non-LTS releases. It may be necessary to accept semver-major level (ie. breaking) changes into that application in order to receive essential fixes. Documentation for the package will include the non-LTS releases for which the package is still maintained. | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| As an example based on the current active Node.js releases which are 6.x, 8.x, 10.x (LTS) and 11.x (Current) | ||
| support would be as follows where X indicates support is provided: | ||
|
|
||
| | Support-target| 6.x | 8.x | 10.x | 11.x | Others as documented | | ||
| |---------------|-----|-----|------|------|-----------------------| | ||
| | `abandoned` | | | | | | | ||
| | `none` | | | | | | | ||
| | `latest` | | | X | | | | ||
| | `lts` | X | X | X | | | | ||
| | `superset` | X | X | X | X | X | | ||
|
|
||
|
|
||
| ## Support `response` and `response-paid` | ||
|
|
||
| Support response quantifies how quickly the maintainer chooses to, or is able to, respond to issues: | ||
|
|
||
| | Value | Description | | ||
| |-------|-------------| | ||
| | `none` | Don't expect a response, the package is not being actively maintained | ||
| | `best-effort` | The maintainer is interested in fixing/discussing issues, however, there should be no expectation on response times. If and when the maintainer has time they may respond. | ||
| | `regular-7` | There are dedicated resources who regularly maintain the module, expected response time is 7 days or less for a "we read your issue" response. Further work will depend on prioritization of the issue by the maintainer team. | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| | `regular-1` | There are dedicated resources who regularly maintain the module, expected response time is 1 days or less for a "we read your issue" response. Further work will depend on prioritization of the issue by the maintainer team. | ||
| | `24-7` | There are dedicated resources who regularly maintain the module and they are available 24/7. You can expect to be able to contact the maintainers and get an initial response with 6 hours. | ||
|
|
||
| Support-response indicates the expectation unless you have paid one of the maintainers or a company that provides | ||
| 3rd party support. If paid support is available then Support-response-paid is an array of one or more options listing the | ||
| options that the maintainer knows are available. | ||
|
|
||
|
|
||
| ## Support `backing` | ||
|
|
||
| This section can be a single value or an array of values, for example: [x, y, z]. This supports cases where the | ||
| backing comes from more than one source. The documented options include: | ||
|
|
||
| | Value | Description | | ||
| |-------|-------------| | ||
| | `none` | There is nobody backing this module | ||
| | `hobby` | The single maintainer maintains the package for fun, does not get any support to continue maintenance. | ||
| | `sponsored` | The single maintainer actively maintains the package but depends on sponsorship to be able to continue to maintain the package. Consider supporting this sponsorship through patreon etc. | ||
| | `bounty` | The package is maintained through the use of a bounty service | ||
| | `project` | The package is maintained under the auspices of a larger project (ex Node.js project). | ||
| | `foundation` | The package is maintained and supported under the auspices of a Foundation. | ||
| | `company` | The package is maintained and supported by a corporate entity but may not be related to their product or service offerings. | ||
| | `commercial` | The package is maintained and supported by a corporate entity as part of supporting their products. | ||
| | `paid-support` | The package is maintained and supported through paid support contracts. | ||
| | `freemium` | Basic version of the package it provided for free, premium version is available at a cost. | ||
|
|
||
|
|
||
| ## Support `expires` | ||
|
|
||
| The expire field is a string in ISO Date format which define the ending of the term of that support entry. | ||
|
|
||
|
|
||
| ## Support `contact` | ||
|
|
||
| The contact field is a JSON that show to users all the possible channels to contact the maintainer: | ||
|
|
||
| ```json | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| "contact": { | ||
| "url": "http://support.it/issue", // URL to the issues tracker | ||
| "security": "mailto:security@nodejs.com", // A contact for security issues | ||
| "paid-channel": "mailto:iwantmoney@nodejs.com" // A direct contact for paid support | ||
| }, | ||
| ``` | ||
|
|
||
|
|
||
| ## Support `funding` | ||
|
|
||
| This field should track all the possibilities to fund the project to receive a paid support. | ||
|
|
||
| ```json | ||
| "funding": { | ||
| "open-collective": "", | ||
| "btc": "" | ||
Eomm marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
| ``` | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should likely generally avoid calling out
npmspecifically and instead focus on JavaScript or package registries in general.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think while npm ships with node, it should always be called out specifically - it remains the default and primary package manager for javascript, for the foreseeable future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think @jasnell's point is more that this is true across JS projects whether published to npm or not, and to me this change is just more inclusive. There is no reason we cannot use this proposal to help other ecosystems, even beyond just JavaScript. 👍 from me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is package.json - it doesn’t apply when not using npm.
I am strongly opposed to not calling out npm specifically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is a separate file off the table? I thought we were still considering that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have laid out many reasons why a separate file is and should be unacceptable; I’m sure i haven’t persuaded everyone.
Either way, package maintenance for node unavoidably involves npm - we can mention alternatives also if it seems necessary, but there simply isn’t an “in general” category yet, only a few fledgling attempts (github, entropic) and a few dead ones (bower).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha, well I have been on the fence and you have kept me on the fence. The main reason I still see to have a separate file is that it can be updated separately from the package contents. There is no other way to avoid that issue with immutable packages with mutable support commitments.
I guess I just see "JavaScript ecosystem" as being inclusive of "npm ecosystem". Could we change this phrasing but then add something about the number of npm packages with support issues overwhelming development?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Outside npm, they’re not really the “packages” we’re concerned about imo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the subjects are the "package maintainers", the ecosystem is not only in the npm registry (maybe the 99% it is).
Since this file could be used by everyone, also in another registry, could we say
Package maintainers provide different level of support for published module across all the JavaScript ecosystem like npm.?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What ecosystems are we concerned about that don't end up on npm? What constitutes a "package" if it's not published to npm? People may install from git, but they're installing an npm package that happens to be on git instead of in a registry.