chore: add meeting notes

Author: darcyclarke

.DS_Store

@@ -0,0 +1 @@
+.DS_Store

.gitignore

@@ -0,0 +1,67 @@
+#### Meeting from: September 4th, 2019
+# Open RFC Meeting (npm)
+
+### Attendees:
+
+- Darcy Clarke (@darcyclarke)
+- Isaac Z. Schlueter (@isaacs)
+- Claudia Hernández (@claudiahdz)
+- Tierney Cyren (@bnb)
+- Wes Todd (@wesleytodd)
+- Andrew Eleunterio
+
+### Agenda:
+
+- Welcome & Introductions
+- #43 Peer dependencies installation
+- #47 Unlisted dependency support
+- Review/converse on sustainability & support drafts
+- Carry-over: #1 Display package size information postinstall
+- Carry-over: #48 Link .hook scripts
+- Carry-over: #27 Package overrides
+- Carry-over: #36 Script-shell config
+
+### Notes:
+
+1. Welcome & Introductions    
+Tierney: Want to discuss RFCs accepted but not implemented
+Isaac: How do we address backlog of RFCs (including ratification)
+Next steps:
+Darcy to create an issue on npm/rfcs to highlight & discuss acceptance criteria (ie. ratification) & backlog
+
+2. #43 Peer dependencies installation
+
+Tierney: Issues with how npm handled ordering (ex. acorn deduping/resolution)
+Isaac: Options...
+Potentially open to other RFC around singletons
+should identify dependencies vs.
+package identifier (ie. https://github.com/npm/rfcs/pull/23/)
+Tierney: Potentially hide features behind feature flags to play nice with pnpm, yarn etc.
+Isaac: `--auto-install-peer-deps` -esque flag
+Next steps:
+Modifications coming to RFC (Isaac)
+Support might be able to land with npm v7
+
+3. #47 Unlisted dependency support
+
+Isaac: 
+Don’t want to break other package managers (ex. pnpm)
+Onus on npm to fix
+Community is already working around this (ex. Angular flattens /w config flag, npm-doctor etc.)
+Tierney:
+Advocating for explicit command
+Next steps:
+RFC: check code for unlisted deps in `npm doctor`
+RFC: print warnings at runtime for `npm test` under tink (npm >= v8)
+
+4.  Review/converse on sustainability & support drafts
+
+Wesley: 
+package maintenance WG looking at how to better support the maintainer that wants to communicate *support*
+`backing` overlap with *sustainability* proposal
+Isaac:
+Schema itself looks perfect
+Problems with number of changes that object may see
+Next steps:
+npm to provide feedback on existing issues/drafted spec
+Draft an RFC on npm/rfcs once there is consensus from Package Maintenance WG

meetings/2019-09-04.md

@@ -0,0 +1,64 @@
+#### Meeting from: October 2nd, 2019
+# Open RFC Meeting (npm)
+
+### Attendees:
+
+- Darcy Clarke (@darcyclarke)
+- Ruy Adorno (@ruyadorno)
+- Claudia Hernández (@claudiahdz)
+- Daniel Sauble (@djsauble)
+- Wes Todd (@wesleytodd)
+
+### Agenda:
+
+- Housekeeping (introductions, outlining intentions & desired outcomes)
+- Discuss proposals & ideas on the PRs/issues outlined
+- Open PRs, Templates & labels
+- npm support subcommand
+- npm cache list
+- docs: scoped names can begin with '.' & '_'
+- #48 Link .hook scripts
+- #1 Display package size information postinstall
+- #51 Expose arborist metadata to lifecycle scripts
+- #43 Peer dependencies installation
+- Document the discussion & next steps
+
+### Notes:
+- Darcy: Create public calendar with recurring event
+- Darcy: Create livestream integration for these calls
+- Agenda overview
+- Standardizing labels
+  - Good first issue
+  - Needs discussion (?)
+  - Try to set common standards across the communities
+- Support subcommand
+  - Schema conversation in the package maintenance group
+  - PR open in the cli: https://github.com/npm/cli/pull/246
+  - Support from other cli clients
+  - Intention to land asap in the npm cli
+  - Possible confusion with the name “Support” from users (is this related to the npm Inc. support team?)
+  - Concerns about the schema consensus, it’s going to be hard to change it after landing an initial implementation
+  - Package maintenance team is more concerned about a long term solution
+  - Loop back with the package maintenance working group
+    - Segment the conversation
+    - Then the current PR can tackle only that specific part (monetary) of the problem that the working group is currently tackling
+- npm cache list
+  - Ping Isaacs about it in order to get feedback
+  - labeled as semver-minor so it can potentially be a part of next release
+  - PR open in the cli: https://github.com/npm/cli/pull/194
+- Docs: scoped names can begin with '.' & '_'
+  - Seems to be wip
+  - Open PR: https://github.com/npm/cli/pull/134
+- Link .hook scripts
+  - Seems to have a concern from Isaacs
+  - Open PR: https://github.com/npm/rfcs/pull/48
+- Display package info post-install
+  - Open PR: https://github.com/npm/rfcs/pull/1
+  - Concerns about it being a misleading metric for end users
+  - Hide it behind a flag or create a separate command (?)
+- Expose arborist metadata to lifecycle scripts
+  - Need input from Isaacs
+  - Open PR: https://github.com/npm/rfcs/pull/51
+- Peer dependencies installation
+  - Maybe have a session with the rest of the team to explain to the team the background history here and why do we want to do it again
+- Meta: make sure we have a livestream next time in order to help increase awareness of the open rfc calls

meetings/2019-10-02.md

@@ -0,0 +1,100 @@
+#### Meeting from: October 16th, 2019
+# Open RFC Meeting (npm)
+
+### Attendees:
+
+- Darcy Clarke (@darcyclarke)
+- Ruy Adorno (@ruyadorno)
+- Claudia Hernández (@claudiahdz)
+- Michael Perrotte (@mikemimik)
+- Daniel Sauble (@djsauble)
+
+### Agenda:
+
+- Housekeeping (introductions, outlining intentions & desired outcomes)
+- Funding Package Maintainers (note: this needs RFC, Issue or PR)
+- #51 Expose arborist metadata to lifecycle scripts
+- npm cache list
+- #43 Peer dependencies installation
+- docs: scoped names can begin with '.' & '_'
+- #48 Link .hook scripts
+- https://github.com/npm/bin-links/pull/5 
+- Open RFC Meeting @ Collab Summit
+- Discuss new day/time for meeting
+- Discuss announcements (When? Where? How?)
+- https://github.com/nodejs/create-node-meeting-artifacts
+
+### Notes:
+
+#### Housekeeping (introductions, outlining intentions & desired outcomes)
+- Introduction, open rfc goal is to interact with the community
+- Feel free to send proposals
+
+#### Funding Package Maintainers (note: this needs RFC, Issue or PR)
+- Package Maintenance working group from OpenJS foundation is putting up work towards a spec
+- Draft spec: https://gist.github.com/darcyclarke/dd77c8f1fb895c5063bf39723a27d0fa
+- Goal is to have monetary means to maintainers to be supported by the community
+- We're going to focus on "funding" aspect
+- Planning to integrate it on both website and cli
+- Ruy is going to be championing the development for the work on the cli
+- Idea is to have a post install highlight the funding metadata results
+- `npm fund` command similar to (or adapted from) draft work from: https://github.com/npm/cli/pull/246
+- opt-out flag `--no-fund`
+- Intent is to land on next minor version `6.13.0`, 2 - 3 weeks from now
+- Idea is to loop back with package maintenance group in order to validate spec
+- We would like to have an actionable way to "resolve" funding for projects already backed in the future
+- Takeaways:
+  - Create PR against npm RFC repo with the result from the WG formalized spec
+
+#### Expose arborist metadata to lifecycle scripts
+- RFC: https://github.com/npm/rfcs/pull/51
+- Would require input from Isaac
+- Wants to expose metadata from arborist into env variables
+- Seems to build upon work on https://github.com/npm/rfcs/pull/38
+- Needs discussion
+
+#### npm cache list
+- PR: https://github.com/npm/cli/pull/194
+- Would be nice to have input from Isaac or Jacobs
+- Seems to be very useful in order to take a peek into the current cache
+- Has no tests right now
+
+#### Peer dependencies installation
+- RFC: https://github.com/npm/rfcs/pull/43
+- Need Isaac
+- Semver major, would land on npm@7
+
+#### docs: scoped names can begin with '.' & '_'
+- Just docs wording
+- Should land on next release
+- Also be picked up for new docs website
+
+#### Link .hook scripts
+- RFC: https://github.com/npm/rfcs/pull/48
+- Creates a `package.json` syntax to declare hooks without necessarily using `.hooks/` folder
+- PR: https://github.com/npm/bin-links/pull/5
+- Needs code review
+- Isaac expressed concerns in the RFC
+- Semver major
+
+#### Open RFC Meeting @ Collab Summit
+- Have a live session during the OpenJS Foundation collaboration Summit 13-14 in Montreal
+- Action item: Propose the meeting at the OpenJS Foundation collab summit repo
+- To be confirmed if the Community & Open Source team will be all there
+- Action item: Ruy proposes the summit session at the Github repo
+
+#### Discuss new day/time for meeting
+- Find a meet time/day in which more folks can attend
+- Many options of time in a given day
+- Post an issue in which we can run polls to define the time for the next meeting
+- Publish agenda in advance
+- Action item: Claudia will create the issue on the rfcs repo to coordinate that
+
+#### Discuss announcements (When? Where? How?)
+- Get the agenda into people's radar sooner
+- Reach out to folks that have open rfcs in the repo currently
+- Can we automate this process?
+- Use attendants from the community as a way to promote the open rfc calls
+- Going forward we should have livestream and hopefully more social media traction
+- Action item: Mike will automate creation of the agenda
+- Agenda can be generated 1 week prior to the next OpenRFC call

meetings/2019-10-16.md

@@ -0,0 +1,67 @@
+#### Meeting from: October 30th, 2019
+# Open RFC Meeting (npm)
+
+### Attendees:
+
+- Darcy Clarke (@darcyclarke)
+- Daniel Sauble (@djsauble)
+- Isaac Z. Schlueter (@isaacs)
+- Ruy Adorno (@ruyadorno)
+- Claudia Hernández (@claudiahdz)
+- Michael Perrotte (@mikemimik)
+
+### Agenda:
+
+- Housekeeping (introductions, outlining intentions & desired outcomes)
+- Review results of meeting time change poll #55
+- Review Standardizing Labeling Issues & PRs as "Agenda" items
+- Issue: #56 [FEATURE] Create RFC for Yarn Resolutions
+- Issue: #14 Fix up & improve statusboard
+- Issue: #55 What time should we run the Open RFC calls?
+- Issue: #3 Add settings.yml file and extend from npm defaults
+- Issue: #3 Add monitoring/benchmarking tools
+- Issue: #2 Add funding to package.json
+- Issue: #1 Default template files for projects
+- PR: #43 Let's install peer deps again!
+- PR: #36 Allow script-shell config in package.json
+- PR: #35 rfc: @pika/pack available in stock npm
+- PR: #34 RFC for dependencies change script addition
+- PR: #24 Unpublished modules should return 410 Gone
+- PR: #23 Add Singleton Packages RFC.
+- PR: #22 Add feature to show dependencies of a particular dependency
+- PR: #20 powershell scripts for installed binaries
+- PR: #18 Interactive audit resolver
+
+#### Notes:
+
+- [2] Darcy will shift one of these calls to 2PM EST and propose another set of times for another time slot that can capture another audience.
+- [3] Going forward, Darcy has automated the agenda compilation for this meeting. Add the “agenda” label to issues and PRs in the CLI repo to get them added to this meeting’s agenda automatically (via a cron job).
+- [4] In npm@7, we intend to add better interoperability between Yarn and npm. We might not have a package-lock.json file, so the ability to use the Yarn or pnpm equivalents is important.
+- [4] There’s an overlapping/non-identical set of data we can get from the various files, so the plan is to have arborist be clever enough to pull what information it can and turn it into a representation of all the packages in the project.
+- [4] Probably a different format of the lock file that arborist can use. Not a new file in your project, but a new file in your node_modules. Format of that file tbd.
+- [4] Adding resolutions isn’t a breaking change, so we could do it in [email protected] for example.
+- [7] The engineering org ratified some baseline PR templates, and created a .github project which maps those templates across all of our projects. You can override them on a per-project level, so we’re creating a new settings.yml that our projects can extend from as our standard.
+- [7] The org-wide .github project might not be the right approach for the OSS team, not surgical enough.
+- [8] In addition to 100% test coverage, we want to add some benchmarks (no cache, no lockfile, etc).
+- [8] pnpm started a project which runs each of the package managers against the same set of scenarios, so we want to adopt this internally.
+- [8] We rejiggered this so it’s easier to set up scenarios, and we intend to merge it into the CLI project. In v1 we’re going to start generating results, and in v2 we intend to start comparing against other package managers.
+- [8] Performance of publishing isn’t super important. People don’t generally complain that publishes take too long (they complain about installs instead, because there’s a (couple) order of magnitude more operations involved).
+- [8] Isaacs wants this so we can benchmark npm@7 against npm@6.
+- [9] Ruy is shepherding the implementation of the `npm fund` command. He’s starting with examples of how we do things already in the CLI (e.g. how we open links in the browser).
+- [9] There are three parts, finding packages with the funding attribute set in the package.json, listing the funding URLs on the CLI, and opening individual URLs in the browser.
+- [10] The engineering org ratified some default templates which don’t really work for our OSS projects, so this issue is about creating a new set of default templates that all of our OSS projects can extend.
+- [10] This is related to (but different from) [7]
+- [11] This is at a point where we’ve talked through all disagreements and gathered all the data we can, so Isaac locked the issue to recognize that there’s no point in continuing to discuss.
+- [11] If the concerns that were brought up in the PR are real, we’ll fix them in the beta of npm@7.
+- [11] There’s a good chance that the first version of npm@7 that people start using widely is not 7.0, but rather 7.3. Walking back peerDependencies if needed after the npm@7 beta is available shouldn’t be a big deal.
+- [11] Darcy will queue up an internal discussion around this
+- [12] Calling the field “npm” is kind of weird since the whole package.json is technically part of npm. Should think about renaming it, or moving it to “scripts”.
+- [12] Potentially we could add logic where you check the .npmrc first, and if the key is not found, check your package.json (or vice-versa).
+- [12] The question is whether we want to respect this setting on a per-package basis. If the answer is ‘no’, we need to consider adding support for this to the packuments as well.
+- [12] Creating a one-off for script config will create an expectation that you can do this for other config settings as well, which seems bad.
+- [12] Isaacs will give this feedback on the PR and create an issue for addressing this issue in a more holistic manner.
+- [13] Isaacs thinks we should let this lie until post-npm@7. The team has a lot on their plate right now. Darcy is moving this to the backlog.
+- [14] Should bikeshed the name a bit, we don’t currently use camel casing.
+- [14] Other questions: when do we run the script and what information is available to it? (e.g. pre-scripts don’t know what the filename is)
+- [14] Isaacs doesn’t see this landing prior to npm@7, it will be an order of magnitude easier to do later.
+- [18] We’ve already shipped this! Isaacs moved the RFC to the implemented folder.

meetings/2019-10-30.md

@@ -0,0 +1,53 @@
+#### Meeting from: November 13th, 2019
+# Open RFC Meeting (npm)
+
+### Attendees:
+
+- Darcy Clarke (@darcyclarke)
+- Daniel Sauble (@djsauble)
+- Ruy Adorno (@ruyadorno)
+- Claudia Hernández (@claudiahdz)
+- Michael Perrotte (@mikemimik)
+- Jordan Harband (@ljharb)
+
+### Agenda:
+
+- Housekeeping (introductions, outlining intentions & desired outcomes)
+- Issue: #58 What day/time should the alternating Open RFC call be?
+- PR: #24 Unpublished modules should return 410 Gone
+- PR: #23 Add Singleton Packages RFC.
+- PR: #22 Add feature to show dependencies of a particular dependency
+- PR: #20 powershell scripts for installed binaries
+- PR: #18 Interactive audit resolver
+- Issue: #65 [RRFC] turn off file name scrubbing for your own private registry
+
+### Notes:
+
+- [2] The poll showed that 2pm EST on Wednesday seems to be the best day/time for everyone (we won’t add alternating time slots for now)
+- [3] Changing the response for unpublished packages from a 404 to a 410 will involve changes to the registry, but seems like a reasonable change. If an entire package name has been unpublished, we should still return a 404.
+- [3] Deleting your lockfile and running npm install from scratch is not ideal because you should keep as much of your dependency tree locked as possible.
+- [3] This is probably an npm@7 type thing, because if we get a 410, we’d have to unroll to figure out the ideal tree structure, which isn’t the end of the world but additional work.
+- [3] If we have to create a new dependency tree that differs from what’s defined in your lockfile, we should fail so we don’t accidentally introduce dependencies you don’t want.
+- [3] Instead of doing this automatically, we should add a new command that will update the lockfile for you.
+- [4] Singleton on a package would cause dependency hell for all of my users.
+- [4] React already does this, but there hasn’t been programmatic support in npm.
+- [4] It would be really tempting if we added this feature to add the singleton property to React, because it breaks at runtime if you have multiple copies.
+- [4] Potentially a better approach to this is peerDependencies, for which there’s another RFC already.
+- [4] This comes down to who should own the tree shape of an application, the application developer or the module developer? Isaac thinks it should be the application developer since they have more context.
+- [4] Isaac will close this RFC and move the conversation over to the peerDependencies RFC.
+- [5] We’re going to need to make some deeper changes to `npm ls` in npm@7 (it’s slow). There’s no need to fully load in the package tree every time we run `npm ls`.
+- [5] `npm ls` will tell you if something is extraneous or an unmet dependency, but there’s no need to read the node_modules folder to get that info, we can get that from the lockfile instead.
+- [5] pnpm has a lockfile that is in the root of your project, and a separate lockfile in the root of your node_modules. Even if you install with --no-save, it always updates the node_modules lockfile.
+- [5] The pnpm approach is appealing because then you just need to compare the two lockfiles, instead of traversing the node_modules folder.
+- [5] Isaac is going to write an RFC describing how `npm ls` should change in npm@7.
+- [5] Isaac is also going to write an RFC for lockfile v2 (which is partially implemented already).
+- [6] PowerShell scripts require system permissions whereas CMD scripts did not, hence the prompt.
+- [6] Isaac is unsure whether it’s a feature or a bug in PowerShell
+- [6] See also: https://github.com/npm/cli/issues/470
+- [7] Majority of CVEs are false positives, so the desire is to be more surgical in deciding which advisories/packages to not flag.
+- [7] Cool feature, not a priority right now.
+- [7] Arborist will give us a better way to load a tree, so the security microservice can be more specific in deciding how to treat the tree. At that point, an interactive resolver would be much easier to do.
+- [7] The application author should be the one to drive the interaction, not module maintainers.
+- [7] Let’s table it until after npm@7.
+- Jordan wants to see funding take an array of things, because some packages have multiple maintainers and having to spin up a landing page kinda sucks.
+- Jordan is going to write an RFC for this.