From 8cbeb16a4be808036a094b140641e2dc771aba6f Mon Sep 17 00:00:00 2001
From: duxiaodong <duxiaodong@darlin.me>
Date: Tue, 9 May 2017 13:00:51 +0800
Subject: [PATCH 1/3] feat(rfc): add 0000-lock-without-registry.md

---
 text/0000-lock-without-registry.md | 36 ++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 text/0000-lock-without-registry.md

diff --git a/text/0000-lock-without-registry.md b/text/0000-lock-without-registry.md
new file mode 100644
index 0000000..05ecc45
--- /dev/null
+++ b/text/0000-lock-without-registry.md
@@ -0,0 +1,36 @@
+- Start Date: (2017-05-09)
+- RFC PR: (leave this empty)
+- Yarn Issue: (leave this empty)
+
+# Summary
+
+Lockfile yarn.lock should not include base registry(`https://registry.npmjs.org`).
+
+# Motivation
+
+In yarn.lock, the `resolved` field includes registry such as `https://registry.npmjs.org`.
+In China, most of developers will set registry to `https://registry.npm.taobao.org` for speed, but for travis-ci, circleci, it seems to be slowly.
+
+# Detailed design
+
+Replace `resolved` by a `hash` field.
+The `url` in `resolved` is unnecessary, and keeping `hash` is enough.
+
+# How We Teach This
+
+Just set registry if you do not want to use `https://registry.npmjs.org` before `yarn install`.
+Or use `yarn install --registry=https://registry.npm.taobao.org`.
+
+# Drawbacks
+
+There is a lit of work for the users who really need the whole `resolved` field in their project.
+**Example**
+`yarn install --registry=https://registry.npm.taobao.org`
+
+# Alternatives
+
+Don't change the lockfile, but the real registry can be changed by `yarn install --registry=https://registry.npm.taobao.org`
+
+# Unresolved questions
+
+No questions

From 29d50afafae09c9e0d0909f743e492be6c24131a Mon Sep 17 00:00:00 2001
From: Lin Jian <ljian3377@gmail.com>
Date: Tue, 9 May 2017 13:35:58 +0800
Subject: [PATCH 2/3] Update 0000-lock-without-registry.md

---
 text/0000-lock-without-registry.md | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/text/0000-lock-without-registry.md b/text/0000-lock-without-registry.md
index 05ecc45..a2acc27 100644
--- a/text/0000-lock-without-registry.md
+++ b/text/0000-lock-without-registry.md
@@ -1,35 +1,34 @@
-- Start Date: (2017-05-09)
-- RFC PR: (leave this empty)
-- Yarn Issue: (leave this empty)
+- Start Date: 2017-05-09
+- RFC PR:
+- Yarn Issue:
 
 # Summary
 
-Lockfile yarn.lock should not include base registry(`https://registry.npmjs.org`).
+The lockfile yarn.lock should not include the base registry (`https://registry.npmjs.org`).
 
 # Motivation
 
 In yarn.lock, the `resolved` field includes registry such as `https://registry.npmjs.org`.
-In China, most of developers will set registry to `https://registry.npm.taobao.org` for speed, but for travis-ci, circleci, it seems to be slowly.
+In China, most developers will set it to `https://registry.npm.taobao.org` for speed; but it seems slow for travis-ci and circleci.
 
 # Detailed design
 
-Replace `resolved` by a `hash` field.
-The `url` in `resolved` is unnecessary, and keeping `hash` is enough.
+Replace the `resolved` by a `hash` field.
+The `url` in `resolved` is unnecessary; keeping `hash` is enough.
 
 # How We Teach This
 
-Just set registry if you do not want to use `https://registry.npmjs.org` before `yarn install`.
+Just set the registry before `yarn install` if you do not want to use `https://registry.npmjs.org`.
 Or use `yarn install --registry=https://registry.npm.taobao.org`.
 
 # Drawbacks
-
-There is a lit of work for the users who really need the whole `resolved` field in their project.
-**Example**
-`yarn install --registry=https://registry.npm.taobao.org`
+More effort is needed in order to support users who really need the whole `resolved` field in their project.
 
 # Alternatives
 
-Don't change the lockfile, but the real registry can be changed by `yarn install --registry=https://registry.npm.taobao.org`
+Don't change the lockfile, but change the real registry by
+
+`yarn install --registry=https://registry.npm.taobao.org`
 
 # Unresolved questions
 

From 3687b3034e8c7262f8731546b67ebecef8e336ad Mon Sep 17 00:00:00 2001
From: duxiaodong <duxiaodong@darlin.me>
Date: Fri, 12 May 2017 11:36:32 +0800
Subject: [PATCH 3/3] Update by comments

---
 text/0000-lock-without-registry.md | 35 ++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/text/0000-lock-without-registry.md b/text/0000-lock-without-registry.md
index a2acc27..e306b75 100644
--- a/text/0000-lock-without-registry.md
+++ b/text/0000-lock-without-registry.md
@@ -4,32 +4,49 @@
 
 # Summary
 
-The lockfile yarn.lock should not include the base registry (`https://registry.npmjs.org`).
+The lockfile yarn.lock should not include the base registry (`https://registry.yarnpkg.com`).
 
 # Motivation
 
-In yarn.lock, the `resolved` field includes registry such as `https://registry.npmjs.org`.
+In yarn.lock, the `resolved` field includes registry such as `https://registry.yarnpkg.com`.
+
 In China, most developers will set it to `https://registry.npm.taobao.org` for speed; but it seems slow for travis-ci and circleci.
 
+By the way, the current approach leads to developers leaking their internal artifact repository sites to the public internet via yarn.lock if they have their company's artifact repository configured in a .npmrc or .yarnrc file.
+
 # Detailed design
 
 Replace the `resolved` by a `hash` field.
-The `url` in `resolved` is unnecessary; keeping `hash` is enough.
+The `url` in `resolved` is unnecessary; keeping `hash` is enough. For example:
+
+before
+```
+lodash@4.17.4:
+  version "4.17.4"
+  resolved "http://registry.npm.taobao.org/lodash/download/lodash-4.17.4.tgz#78203a4d1c328ae1d86dca6460e369b57f4055ae"
+```
+after
+```
+lodash@4.17.4:
+  version "4.17.4"
+  hash "78203a4d1c328ae1d86dca6460e369b57f4055ae"
+```
 
 # How We Teach This
 
-Just set the registry before `yarn install` if you do not want to use `https://registry.npmjs.org`.
-Or use `yarn install --registry=https://registry.npm.taobao.org`.
+Just set the registry before `yarn install` if you do not want to use `https://registry.yarnpkg.com`.
 
 # Drawbacks
 More effort is needed in order to support users who really need the whole `resolved` field in their project.
 
 # Alternatives
 
-Don't change the lockfile, but change the real registry by
-
-`yarn install --registry=https://registry.npm.taobao.org`
+Don't change the lockfile, but replace with the real registry by set registry config.
 
 # Unresolved questions
 
-No questions
+How will this be rolled out to all Yarn using projects?
+
+Will Yarn replace the entire yarn.lock file?
+
+Will Yarn only use the new format for changed resolutions in the yarn.lock file?