►
From YouTube: Package Maintenance Team meeting - Nov 5 2019
Description
A
A
A
Although
I
guess
it's
worth
mentioning
that
Dunham
at
Dominica
sand
myself
next
week,
we'll
be
talking
about
some
of
the
work
that
this
group
is
doing
at
nude
coffee,
you
so
for
anybody's
going
to
be
there.
We
hope
to
see
you-
and
you
know
it's
for
this
group-
it's
a
good
opportunity
to
help
promote
some
of
the
work
and
things
that
we've
been
doing
on
to
the
first
issue
tagged
for
the
on
the
agenda.
This
is
issue
number
270.
A
A
A
B
B
B
We
know
that
you
know,
40
percent
of
the
package
is
done,
publish
you
know
in
over
a
year
that
doesn't
mean
they
need
any
maintenance,
maintainer
isn't
active,
but
also
my
personal
opinion
is
that
it
moves
for.
Just
for
you
know,
you
shouldn't
need
to
call
somebody
unmaintained
before
you,
for,
if
you
wanna,
for
that's
what.
B
B
B
B
A
A
C
A
C
A
A
A
A
A
So
I
think
on
so
maybe
and
that
maybe
even
another
division
like,
for
example,
on
our
minutes,
I'd
have
to
go
back
to
see
how
many
times
we
actually
got
four
people
to
review
them.
Now
that
you
know
those
are
probably
less
important,
but
I'd
agree
like
on
best
practices,
you're
right,
we
probably
need
more
than
two.
A
C
B
Which
is
yeah?
That's
what
I
was
going
to
bring
with
this
group.
It's
not
a
very
high
priority
activity.
It's
not
something
that
note
which
gets
you
know
millions
of
eyes.
You
know
we
have
the
bi-weekly
cadence,
so
I
think
seven
days
after
last
review
is
find
a
reasonable
okay
sure,
maybe
for
the
minutes
you
know
we
could
meet
up.
Maybe
four
minutes.
It's
you
know
two
days
or
whatever
I
mean.
A
C
C
A
A
A
It's
a
suggestion
in
terms
of
how
to
manage
things
in
github,
so
that
most
of
the
time
when
you
publish
your
package,
you'll
automatically
get
a
copy
of
the
latest
version
of
this
of
the
support
information,
but
the
the
canonical
or
whatever
the
right
word
is
for
the
the
authoritative
copy
is
actually
at
a
URL
which
is
pointing
back
to
the
same
github
repo,
the
same
document.
So
you
publisher,
you
publisher,
your
your
your
package.
A
You
will
get
a
copy
that
in
the
publish,
but
the
package
of
Jason
has
a
link
back
to
that
file
in
the
github
repo.
So
you
have
the
dynamic
copy
that
you
can
update
at
any
time
and
there's
a
little
bit
more
in
there
around.
You
know,
suggestions
on
how
to
manage
sort
of
assuming
that
you're
in
github
how
it
will
default
back
to
you.
A
Can
you
know,
there's
a
default
then,
if
you
want
to
actually
have
the
case
where
you
want
to
have
say
one
github
repo,
which
has
your
support
information
for
multiple
packages,
you
can
actually
override
that
and
say:
okay,
no,
it's
in
this
other
package
and
then,
if
you
want
to
have
it
in
a
different
directory
other
than
the
default,
there's
also
a
way
to
do
that
and
it
leverages
the
existing
repo
section.
That's
in
already
in
the
package
that
Jason
so
there's
been
some
discussion
since
then,
not
necessarily
a
huge
amount.
C
We
we
did
some
work
on
a
package
support,
but
the
problem
was,
you
know
we
had
a
long
meeting
the
other
week.
We
obviously
come
back
so
I
think
come
back
to
a
broader
understanding,
validate
as
we
need,
because
when
I
look
at
the
issue,
the
future
direction,
one
on
that,
perhaps
we
need
to
document
it
a
bit
more.
Perhaps
we
need
to
alter
that
blog.
We
were
doing
for
package
support
to
update
it,
because
I
don't
keep
going
round
and
round
on
this
one.
E
E
E
A
Blog
posts
promote
so
I'm,
just
saying
just
yeah
you'll
be
in
there,
but
like
the
next
steps,
as
I
see,
is
like
if
everybody
agrees
like
I,
think
in
the
issue
it
sounds
like
we
have
consensus.
I
just
want
to
make
sure
in
this
meeting
we're
all
all
greed
I'll
take
the
action
to
PR
that
into
the
dock
itself.
A
F
E
A
Brainstorming
I'm
just
trying
to
I'm
adding
this
is
another
to
do
slash
working
on
tooling,
because
that's
definitely
something
that
we've
thought
of
is
that
we
then
can
start
writing
tooling,
which
would
validate
you
know,
do
validation
and
walking
of
modules
and
I.
Think
because
it
has
the
URL,
it
should
be
able
to
get
the
dynamic
information
all
the
time.
A
I
guess
the
longer-term
we
potentially
want
to
work
with
NPM
to
see
if
we
can
get
them
to
add
to
their
tooling,
but
the
feedback
we
got
was
they'd
like
to
see
some
usage
before
they
would
start.
Thinking
about
that,
although
I
don't
think
that
means
we
couldn't
come
up
with
some
PRS
and
stuff
to
even
to
the
NPM
client.
If
we
think
that
they're
specific
things
we'd
like
it
to
do,
because
that
would
be
a
very
concrete
thing
that
then
could
be
discussed
and
so
forth.
F
A
A
C
A
G
A
A
B
B
A
A
A
G
B
A
H
A
Like
the
for
those
who
haven't
had
a
chance
to
read
the
issue,
what
I
was
thinking
is
like,
probably
every
four
or
six
months.
We
should
look
at
what
we've
talked
about
and
you
know
go
through
and
blog
on
it
again
or
repost
the
blogs
or
whatever
right,
because
doing
it
once
isn't
necessarily
gonna
catch
everybody.
There's
new
maintainer,
there's
people
who
didn't
see
it
the
first
time,
and
so
we
should
be
sort
of
periodically.
A
A
A
A
A
A
G
A
A
A
G
A
A
C
A
F
D
A
I
also
have
a
talk
at
node
plus
chase,
interactive
and
I'm
planning
to
use
pretty
much
the
same
thing:
okay,
I'll
be
about
yeah,
it
sounds
good,
so
I'll
just
step
through
it
and
you
know
feel
free
to
ask
I'm
gonna,
kiss
or
myself
anything
as
we
go
through
so
title
page,
a
little
bit
about
just
introduction
to
ourselves
the
agenda.
So
we
want
to
talk
about
problems.
How
do
we
make
things
better
or
what
the
package
maidens
team
is
actually
doing,
and
hopefully
a
call
to
action
to
get
more
people
excited
and
interested
I?
A
G
B
Right
so
node
has
grown,
we've
doubled
the
packages,
which
means
that
you
know
we're
using
node
in
a
lot
of
critical
systems
and
we
need
things
to
work
as
users
of
node
packages
and
creates
better
pressure
or
maintainer
x'.
To
do
certain
things
you
know
keep
dependencies
appellate,
then
there's
you
know
this
who
goes
destined
LTS
rather
than
whatever
you
have
in
your
Travis
set
up
and
maintain.
Others
are
not
always
able
to
do
that.
So
there's
there's
there's
some
issues.
There
then
there's
we
had
a
couple
of
incidents
over
the
past
couple
years.
B
You
had
the
yes,
let's
go,
you
have
the
event
stream
and
you
had
some
other
lists
as
prominent
ones
and
then
there's
a
quick
mention,
of
course,
about
the
lack
of
communication
channels,
namely,
and
they
made
the
developers
of
packages
that
maintain
errs
themselves.
They
have
no
way
of
pushing
messages
out
to
users.
They
have
no
way
of
talking
to
the
consumers
of
their
packages.
Other
than
post
install
messages
which
everybody
hates
and
yeah
businesses
are
also
asking
question,
and
then
we
quickly
go
through
the
different
needs
that
we
know
that
maintainer
z'
have
it.
B
B
B
You
might
argue
you
know:
where
does
the
value
of
I
sit
and
documentation?
Is
it
in
support,
or
is
it
in
the
code
itself,
but
there's
also
the
things
that
you
know
not
finding
funnel
to
do
and
some
other
maintainer
is.
They
also
want
to
simply
move
on
and
give
away
that
package
in
a
safe
way
or
deprecated
or
maybe
find
a
new
hole
in
a
foundation
or
something
like
that.
B
A
So
then
we
move
on
to
like
well,
okay,
how
do
we?
How
do
we
make
things
better?
And
you
know,
as
we've
talked
about
it's
around
reducing
this
math
sex
expectations,
so
doing
things
that
will
you
know
if
package
maintainer
created
a
package
in
as
a
hobby,
but
now
it's
being
used
by
three
million.
You
know
there's
three
million
downloads
a
week
and
business
there's
are
depending
on
it,
there's
a
bit
of
a
mismatch
and
expectations
in
there
so
hoping
to
close
those
those
mismatched
expectations.
A
A
lot
of
that
is
through
communication
and
collaboration,
so
building
channels
where
the
consumers
and
maintainer
x'
can
communicate
with
each
other.
For
example,
the
package
support
that
we'll
talk
about
later
on.
It's
also
good
to
build
communication
and
collaboration
between
two
main
theatres
themselves.
There's
lots
of
things
that
you
know
as
a
package
maintainer
you.
You
have
to
figure
out
how
to
do,
and
in
many
cases
you
don't
have
strong
feelings
of
how
you
need
to
do
it.
A
So
if
you
can
just
comfortably
adopt
the
best
practice,
that's
a
good
thing
and
then
really
just
increasing
the
communication
between
everybody
involved
is
going
to
be
helpful.
The
next
one
is,
is
you
know,
working
to
make
it
easier
to
maintain
packages
so
building
tooling
best,
you
know
guidance,
all
the
divert
various
things
that
will
help
it.
A
You
know
reduce
the
amount
of
work
that
a
package
maintainer
actually
has
to
do,
and
then,
finally,
you
know
promoting
responsible
and
sustainable
consumption,
so
helping
businesses
understand,
you
know
the
packages
that
they
rely
on,
how
well
they're,
supported
or
not-
and
you
know,
hopefully,
motivating
them
to
get
involved
and
support
and
work
with
the
dependencies
that
they
depend
on
and
being
able
to
make.
You
know,
help
support
them
being
able
to
make
the
business
case
that
it's
actually
important
in
terms
of
their
overall
risk
management.
A
So,
basically
hey.
You
know.
A
year
ago
we
launched
the
package
maintenance
team,
which
is
all
about
working
on
doing
those
things.
We
think
will
make
it
better
a
little
bit
about
the
history
where
you
know
there
was
a
you
know:
we'd
started
a
discussion
on
module
LTS
because
we
found
that
people
who
have
really
resonated
with
the
node
LTS
release
cycle
and
an
approach,
but
we
found
in
those
discussions
that
you
know
there
was
a
more
fundamental
problem
we
needed
to
address
first,
which
was
really
the
package.
A
Maintainer
is
having
a
trouble
just
keeping
up
with
what
they're
doing.
Today
we
have
representation
from
you
know
the
consumers
package
maintainers
people
from
the
nodejs
core,
because
it's
important
to
the
success
of
node
overall
NPM
and
hopefully
will
excite
more
people
in
terms
of
you
know.
Can
it
be
you
and
fundamentally
you
know
it
provides
us
a
place
to
work
together.
In
terms
of
you
know,
sharing
processes,
practices
and
so
forth.
A
B
Okay,
so
state
of
the
ecosystem
in
trying
to
understand.
What's
going
on,
we
have
service
packages
and
we
have
that
we
scanned
from
the
top
1,000
packages
and
the
surveys
yeah,
just
to
mention
that
people
can
go,
take
a
look
at
them
and
we'd
also
accept
them
filling
out
the
survey's
as
well,
then
moving
on
just
an
overview
of
the
numbers.
So
once
when
Indian
published,
the
top
1000
in
April
ran
these
numbers.
G
B
We've,
you
know,
took
a
look
at
the
release
age
of
each
package
and
we
found
that
forty
percent
had
to
release
in
the
last
six
months,
but
on
the
other
hand,
another
forty
percent
did
not
have
a
release
in
over
a
year
which
raises
the
next
question
is
what
which
is
of
note?
Do
they
support
it?
They
haven't
been,
releasing
it
actively,
and
then
this
is
the
information
from
the
blog
post
right.
We
found
that
around
two-thirds
were
testing
in
the
active
of
the
explosion.
Others
were
not.
B
Some
of
that
was
due
to
the
default
configuration
of
Travis
son.
Facts
was
not
keeping
up
to
date,
so
yeah
there's
the
blog
post
to
go
into
the
details
that
then
took
a
look
at
the
outdated
dependencies
so
because
this
is
the
top
1000,
they
don't
have
many
dependencies
right
there
at
the
very
deepest
level,
logic
and
nc3,
so
naturally
they're
not
they
are
used
by
everybody,
but
so
they
don't
use
much.
But
all
of
those
that
do
use
20%
had
outdated.
B
Sorry,
20%
of
the
dependencies
that
are
used
are
outed,
meaning
that
which
is
as
well
as
it
burns
correlates
with
200
packages
that
have
at
least
one
outdated
dependency.
Dev
dependencies
are
even
worse.
That's
around
1/2
and,
however,
because
the
numbers
are
from
in
DM
and
not
from
get
the
dev
dependencies
might
have
been
updated
and
marched,
but
on
master
but
not
released.
B
Still
most
of
the
packages
have
at
least
100
have
dependencies.
So
that's
a
bit
of
a
concern
there,
but
also,
then
you
know
what
does
what
impact
does
it
have
on
the
security
of
your
maintain?
Your
of
your
package
tree
and
Indiana
audit
report.
Zero
snake
report
zero,
so
PAP
days,
they're,
the
top
1,000,
does
not
have
none
of
our
abilities.
A
And
we
go
through
the
support
info,
so
basically
targeting
you
know,
I
won't
go
into
detail
here,
but
targeting
about
talking
about
the
different
components.
What
they
are.
You
know
talking
about
that
we're
working
on
best
practices.
Again,
you
know
not
going
into
much
detail
but
saying
that
we're
working
on
best
practices,
the
different
areas
we
have
them
in
draft
and
non
draft.
So
please
go
take
a
look
and
it's
a
good
place
to
contribute
as
well
we're
working
on
patterns
of
engagement.
So,
as
we
said,
we
we
chose
packages.
A
A
B
Mention
these
things
that
was,
we
already
has
on
the
cages,
so
that's
support
validation,
notation,
resulting
from
keywords,
the
status
board
and
then
go
to
raise
the
stuff
that
we
discuss.
Tonight.
We
have
the
issue
open
for
the
Timofey
in
C
I'm,
just
going
to
introduce
what
the
problem
is
and
why
we
need
to
solve
it
and
then
just
mention
the
options
that
I'm
currently
thinking
of
I'm
working
on
a
request
right
now,
I
hope
I
will
open
it
this
week,
I'll
probably
finish
it
off
on
the.
B
A
H
A
A
A
A
C
B
B
B
A
C
So
renovate
is
really
sort
of
the
preview
features
we
reached
out
to
Greinke,
but
they're
happy
where
they
are.
Okay,
essentially,
the
was
to
depend
upon
which
has
been
bought
by
github
doesn't
quite
seem
to
be
as
advanced
as
either
the
other
two
last
time.
I
look
so
you
know
renovate
still
looks
like
the
the
more
the
most
configurable
okay
I
pick
up,
all
them,
but
greenkeeper
held
out,
but
only
a
small
company.
You
know
they're
very
responsive.
They
know
wit
we're
happy
with
what
we
have
our
users.
C
B
E
A
So
there's
MRSA
has
a
PR
there's
been
some
discussion,
so
certainly
if
people
can
engage
there-
and
you
know
hopefully
we'll
end
up
with
a
good
baseline
practice
that
we
can
be
used
there,
there's
also
discussion
of
at
the
at
the
open,
J's
foundation.
Should
we
have
like
guidance
for
projects
and
I
think
we'll
probably
base
that
off
of
what
comes
out
of
this.
F
F
D
F
It's
kind
of
NPM
exploring
with
that
then
I
think
is
the
first
iteration
were
trying
the
waters
with
regard
to
the
funding
aspect,
so
we'll
see
how
the
community
will
react
and
so
definitely
love
to
hear
from
this
group
too.
So
if
anyone
wants
to
check
the
PR
itself,
it's
currently
open
NPM,
CLI
repo.
What.
G
F
D
F
F
D
C
F
D
F
A
Okay,
okay,
so
yeah.
We
should
take
a
look
at
that
and
yeah.
You
know,
give
us
because
I
think
we,
you
know,
we've
come
to
consensus
on
the
support
info,
so
we'll
probably
be
starting
to
recommend
that
as
well,
and
we
can
see
ya
know
how
that
goes
and
figure
out
the
interaction.
Now
that
we've
actually
got
consensus
on
that
front.