- Darcy Clarke (@darcyclarke)
- Gar (@wraithgar)
- Nathan Fritz (@fritzy)
- Isaac Z. Schlueter (@isaacs)
- Luke Karrys (@lukekarrys)
- Tierney Cyren (@bnb)
- Nathan LaFreniere (@nlf)
- Alasdair Hurst (@alasdairhurst)
- Housekeeping
- Introduction(s)
- Code of Conduct Acknowledgement
- Outline Intentions & Desired Outcomes
- Announcements
- Audit Improvements:
- Review Action Items from previous deep-dive call
- PR: #18 npm audit and audit-resolve.json -
@naugtur - PR: #182 RFC: npm audit licenses -
@bnb - PR: #422 RFC: audit assertions -
@bnb
- RFC: #397 Peer dependencies should be able to match a full range of prerelease versions -
@alasdairhurst - RRFC: #430 Improving workspace terminology -
@jasonwilliams - RRFC: #428 npm publish should tell you the end point it's pushing too. -
@EvanCarroll - RRFC: #427 npmrc file improvements -
@EvanCarroll - RRFC: #425 npm-unpublish should have some type of warning when unpublishing package -
@pranavkhapra
Review Action Items from previous deep-dive call
- @darcyclarke will provide an update &/or reference to backlogged work to be done to investigate UX/UI
npm auditimprovements
PR: #18 npm audit and audit-resolve.json - @naugtur
- @isaacs npm/arborist#301 requires changes
PR: #182 RFC: npm audit licenses - @bnb
- @bnb no update
- @isaacs notably the license SPDX string is not being included in lockfiles (will need to be added to corgi docs)
- Action: queue up adding the metadata to corgi docs w/ the registry team
PR: #422 RFC: audit assertions - @bnb
- @bnb: updated PR with some information, will update a bit more in-meeting to address "limiting scope"
- npm/cli#3452
RRFC: #430 Improving workspace terminology - @jasonwilliams
- @isaacs
- ~"language is hard"
- provided feedback/insight in the originating discussions here: npm/feedback#510
- @darcyclarke
- has tried to map/visualize these terms as they relate to a
- Action: make PR to amend original Workspaces RFC a picture/visual of our terminology w/ glossary
- @fritzy
- believe our definition is fine so long as we're consistent & glossary is explicit
- Action: Add glossary to npm/cli docs (rough draft)
- Action: editorial pass through existing npm/cli docs to make sure we're using these terms properly
- Action: (nice to have) Automatically link words in docs to their glossary definitions (this might be too noisy/complicated?)
RRFC: #428 npm publish should tell you the end point it's pushing too. - @EvanCarroll
- @naugter would be nice to have it print prior to 2fa prompt
- Action: add registry target config output when using
npm publish - Action: consider other commands that we may want to provide this output/context (start with write operations at first)
RRFC: #427 npmrc file improvements - @EvanCarroll
- @isaacs
- have been considering improvements internally
- this initial discussion/issue doesn't go as far as we'd like if we're going to make a breaking change to
.npmrc/config npm install --regsitry=foo<- typos don't throw (ie. infinite options/config)- lets eliminate
nopt
- @naugter
- consider making this an ecosystem package first & make it optional before shipping it by default
- @darcyclarke
- what about something like
--thrown-on-unkownto curb the infinite supported config problem we have today
- what about something like
- Action: audit config / propose a more comprehensive RFC
RRFC: #425 npm-unpublish should have some type of warning when unpublishing package - @pranavkhapra
- @wraithgar want to be mindful that this would be specific to the npm public regitry's policies
- @naugter this shouldn't be that distructive given the current policy around a 24hr window