►
From YouTube: Open RFC Meeting - Wednesday, March 4th 2020
Description
In our ongoing efforts to better listen to and collaborate with the community, we're piloting an Open RFC call that helps to move conversations and initiatives forward. The focus should be on existing issues/PRs in this repository but can also touch on community/ecosystem-wide subjects.
GitHub Agenda Issue:
https://github.com/npm/rfcs/issues/104
Notes:
https://docs.google.com/document/d/1lHIcA9gBMA476j3EaPPq8-rQXmaQ7-MbGWDDtiTnmZY/edit
A
We've
got
Wes
Cory
in
Jordan
joining
us
today,
and
hopefully
some
more
folks
will
join
just
quickly.
There
is
a
Google
Talk
for
meeting
notes
that
I've
shared
in
the
chat
feel
free
to
add
yourselves
as
attendees
Claudia's.
Kindly
said
that
she'll
take
notes
for
today's
meeting,
which
is
awesome
and
just
a
couple
housekeeping
notes.
We
are
live
on
YouTube
and
so
be.
A
Mindful
of
you
know
what
you
say,
and
also
these
calls
and
and
all
the
scores
that
we
have
on
our
C's
is
essentially
collected
over
under
our
code
of
conduct,
so
feel
free,
there's
reference
in
that
talk
out
as
well
to
familiarize
yourself
with
that,
and
essentially
the
intention
and
desired
outcomes
of
these
calls
is
to
again
create
a
communication
channel
for
community
to
give
us
feedback,
present
ideas
and
hopefully
move
discussions,
issues
RC
SPRs
forward
and
hopefully
over
time,
we'll
get
better
and
better
at
writing.
So
the
agenda
is
listed
there
again.
A
A
So
if
folks
haven't
already,
please
jump
into
that
issue
and
and
vote
for
essentially
another
call
that
we're
going
to
be
setting
up,
which
was
a
great
idea
by
Wes
to
do
deep,
dives
on
topics
which
you
know,
there's
a
pretty
large
backlog
right
now
of
issues
in
RFC's
that
we'd
love
to
get
into,
and
so
we're
queuing
up
for
next
week.
Deep
dive
on
workspaces
specifically
I
know.
A
We
have
is
agenda
item
today,
so
we'll
allow
for
folks
to
discuss
that
here,
but
we'll
time
box
it
and
let
folks
know
that
we're
gonna
go
deep
into
the
weeds
there
next
week
and
I
think
Roy's
gonna
lead
that
call,
as
he's
been
essentially
quarterbacking
the
initiative
there
on
our
end.
So
just
be
mindful.
If
you
can
jump
into
that
issue,
105
and
vote
for
the
timeslot
you'd
like
to
see.
A
Unfortunately,
Wednesday's
are
the
only
sort
of
free
time
slot
that
we
have
for
most
the
MPM
team
and
based
on
other
internal
and
meetings
and
activities
that
we
have
that
have
sort
of
blocked
us
on
other
days,
so
yeah
without
further
ado,
I'd
love
to
jump
to
the
first
actual
RFC
in
the
agenda.
Unless
other
folks
have
items
they
want
to
pull
up
first.
This
is
essentially
the
RFC
for
workspaces
that
Roy's
been
working
on
I
know
with
us
and
Jordan
to
some
extent,
I,
don't
know.
A
If
ro
you
want
to
sort
of
kick
this
off
this
discussion
off
and
we'll
time
box
it
for,
let's
say
10
minutes.
If
we
go
to
that-
and
you
can
also
note
that
you
know
we're
gonna
go
even
deeper
into
the
weeds
there.
We
may
want
to
also
just
punt
this
to
next
week,
if
most
folks
on
here
can
actually
make
that
call.
Yeah.
A
A
A
Eastern
Time,
so
it
will
probably
at
the
same
time
same
place,
same
links,
etcetera,
etcetera,
so
moving
on
so
our
seen
every
night
6
ad,
published
confirmation,
proms
I,
think
we
maybe
discuss
this
a
little
bit
in
the
last
call,
but
Royd
I'm,
not
sure.
If
you
have
any
update
on
this
or
whether
or
not
we
want
to
take
this
off
the
agenda.
B
If
we
landed
last
last
meeting
was
that
one
of
the
fundamentals
in
DRC
like
it's
not
really
there?
The
fact
that
the
Syrah
is
not
really
aware
to
to
factor
is
enable
or
not
right,
so
it
should
be
at
least
kind
of
like
corrected
revised
before
before
approving,
where
I
mean,
if
anything
else
with
me.
Okay,.
D
A
A
B
It
didn't
materialize
as
a
natural
RC
yeah,
but
this
came
up
when
me
and
Jordan
were
talking
about
workspaces.
I,
think
he
just
dropped
from
the
car,
but
yeah
would
be
nice,
but
basically
he
was
bringing
up
to
our
attention
that,
like
a
very,
very
important
aspect
of
workspaces,
is
having
things
working
together
and
peer
dependence
is
a
big
part
of
that.
So
it
is
basically
about
providing
a
better,
better
interface
working
for
those
pure
dependencies
from
this
July
right.
B
E
B
F
I
want
to
I
want
to
tease
this
one
apart,
I'm
hearing
like
three
kind
of
different,
somewhat
interrelated
issues
here.
The
first
is,
you
know,
absent
anything
about
anything
else
about
workspaces.
Whatever,
should
we
have
some
kind
of
flag
that
says
save
it
as
a
peer
dependency,
just
like
we
do
for
dev
and
optional,
and
bundled
and
regular
prod
dependencies,
I
think
the
the
the
uncontroversial
answer
there
is
yeah.
F
We
should
the
the
thing
that's
already
it's
already
implemented
in
arborist
is
kind
of
an
anticipation
of
this
and
I
think,
even
in
the
v7
betta
branch
that
we've
been
working
on,
where
we're
kind
of
working
on
that
epics
for
the
the
initial
v7
updates,
we
we
actually
have
save
peer
as
a
thing.
I,
don't
think
it's
documented
yet,
but
it's
you
know
the
implementation
is
there
now
the
thing
is
like.
The
way
we
have,
it
is
is
like
the
simplest
possible
implementation.
It's
just.
If
you
do
save
peer,
it's
just
like
saved
EV.
F
We
just
we
put
it
in.
You
know
as
a
peer
dependency,
with
the
same
kind
of
save
prefix
and
save
logic
that
we
have
for
anything
else.
Now
the
the
question
should
really
be,
and
so
the
first
that's
that's
the
first
issue.
I
think
we
should
just
all
thumbs
up
that
and
say
yeah.
We
should
have
a
safe
peer
flag
and
it
should
save
it
as
a
peer
he's
easily
done.
The
second
thing
is:
should
we
make
some
changes
to
how
we
save
things
in
general,
and
should
there
be
a
different
way
to
that?
F
F
It's
pretty
common
for
for
people
to
use
like
greater
than
equals,
or
multiple
different
version
ranges
right
like
because
conflicts.
There
are
such
a
huge
pain
in
the
ass
if
I
have,
if
I
have
one
one
package
that
has
that
depends
on
react,
version,
16.2
and
another
one
that
depends
on
react.
Peer
depends
on
react.
16.3
I
can't
use
those
things
together
now
in
practice,
they
probably
both
just
work
with
react.
F
So
if
you,
if
you
depend
on
that
git
repo,
we
have
to
pull
it
from
that
git
repo.
If
something
else
is
depending
on
a
version
range,
then
there's
no
easy
way
to
say:
okay,
what's
the
get?
What's
the
get
ref
that
satisfies
this
version
range
right
unless
they're
using
likes
ember
tagging
or
something
like
that
and
just
the
logic,
it's
a
lot
more
complicated.
F
So
there
there
has
been
some
some
desire
to
say
that
you
know
peer
dependencies
have
to
be
a
version
range
rather
than
a
get
def
or
something
else,
and
so
that's
kind
of
a
whole
other
interesting
conversation
around
peer
dives
and
how
we
saved
them.
The
third
question
here
is:
how
should
how
should
peer
dependencies
be
handled
in
a
workspace
I
would
I
would
push
for
punting
that
until
next
week,
yeah?
That's
a
that's
an
that's
a
big
question
and
it's
really
very
workspace
specific.
It's
not
really
specific
to
peer
devs
or
saving
them
yeah.
E
Think
it's
mostly
move
now.
I
was
gonna,
say
that
resolution
that
you're
talking
about
Isaac
about
I
get
dependency.
It's
a
similar
resolution
to
that's
not
the
same,
but
a
similar
resolution
to
bundle
dependencies
is
or
not
like.
You
wouldn't
know
whether
the
things
satisfies
whatever
you're
looking
for
until
you
actually
have
that
thing
with
you
right.
So
what
you
mean
yeah.
F
E
A
I
think,
like
I,
just
wanted
this
up,
but
we
probably
make
sense
for
somebody
to
again
quarterback,
maybe
that
first
first
thing
essentially
like
it
makes
sense
for
us
to
just
have
that
flag
exist.
I
can.
F
A
Thanks
really
cool
any
other
feedback
on
that
pretty
straightforward
awesome,
let's
move
on
then.
So
item
number
six
issue:
number
93,
standardized,
browser-based,
login
mechanism.
I
know
we
had
a
pretty
good
discussion
about
this
in
the
last
I
recall,
Amelia's,
not
on
the
call
today,
but
just
once
you
may
follow
up
on.
A
F
I
am
I,
did
have
occasion
to
go
and
touch
that
code
in
NPM
profile,
pretty
recently
as
part
of
our
and
nb7
update,
and
also
interesting,
if,
if
extremely
difficult
to
to
pull
off
security
issue,
possibly
you
know
hypothetical
security
issue
that
we
that
we
addressed,
but
so
yeah
I,
think
I.
Think
the
long
and
short
of
it
is
like
it's
really
not
hard
to
do.
F
We
we
should
do
it.
It's
just
a
matter
of
kind
of
prioritizing
the
work
I'm.
There
are
some
open
questions
still
as
far
as
you
know,
and
I'd
like
to
I'd
like
to
get
to
a
an
RFC
that
has
some
of
those
questions
answered
I,
don't
think
any
of
them
are
hard
most
of
our
somewhat
arbitrary
right.
It's
just
like
what
is
the?
What
is
the
end
point
there's
something
else.
F
What
kind
of
like
what
kind
of
token
we
send
back
or
a
refresh
token
we
send
back
and
so
on,
and
then
somebody
just
gonna
have
to
quarterback
the
you
know
take
on
the
work
of
implementing
that
in
NPM
profile
and
from
the
point
of
view
of
the
CLI
it
to
be
mostly
just
agnostic
right
it.
The
CLI
just
calls
profile,
dot,
login
and
responds
to
whatever
you
know,
passes
the
prompt
technique
and
the
browser
name
and
everything
yeah.
A
While
you
were
doing
that,
work
I
did
uncover
some
legacy
Doc's
around
the
original
author
flow,
which
also
had
like
some
pictures
of
whiteboards
etc,
which
seemed
to
I
think
almost
reference
like
what
what
was
presented
here
so
I'm,
not
sure
if
we
never
fully
baked
like
we
had
started
some
work
down.
This
I'm,
not
sure
if
you
historical,
constant,
like
context
there
Isaac,
but
was
there
at
one
point
like?
Were
we
trying
to
do
this
so.
F
The
the
OAuth
ooofff
to
device-
what
is
it
Oh
device
flow,
did
not
exist
when
we
implemented
this.
There
was
a
you
know
in
a
in
a
corporate
environment.
You
typically
want
to
have
some
kind
of
single
sign-on
system
for
your
NPM
NPM
usage
and
there's
a
number
of
ways.
This,
the
the
simplest
and
the
worst
is
you
out-of-band.
F
This
is
actually
SSO,
and
so
it
passes
this
dummy
user
account
name,
and
then
that
returns
a
URL
that
you
have
to
open
and
then
it
keeps
pinging
on
the
Who
am
I
endpoint
in
order
to
see
like
when
you've
been
logged
in,
but
it
like,
it
gives
you
a
token
and
then
you
go
and
out-of-band
you
make
that
token
valid
by
logging
in
this
is
not
super
secure.
You
should
never
have
a
token
that
is,
you
should
never
have
a
token
issued,
which
is
not
valid
right.
F
It
should
be
the
case
that
you're
not
issued
a
token
until
at
the
moment
that
it
becomes
valid.
So
we
you
know,
we
called
that
out.
We
refactored
it
and
for
the
NPM
II
SAS
implementation.
We
did
it
a
different
way
where
and
we
SPECT
out
this
thing.
So
you
hit
an
end
point.
The
server
says:
here's
the
here's,
the
URL
to
login
and
here's
the
URL
to
ping
until
to
get
your
token,
once
the
login
completes
right
and
then
NPM
opens
up
a
web
browser
to
the
login
URL.
F
F
This
also
the
the
the
other
nice
thing
about
this
is
it
unifies
the
login
and
add
user
flows
because
you
have
or
it
keeps
them
United
I
guess
we're.
Currently
that's
kind
of
problematic.
You
have
them.
You
know
if
you
open
up
your
web
browser
and
you
don't
actually
have
a
login
account
or
you're
not
currently
logged
in
it
can
say:
oh
you
know,
go
through
the
create
account
flow
and
whatever
flow
the
browser
process
takes
you
through.
It
always
knows
it's
for
this
particular
session,
and
when
that
completes
you
get
the
token.
F
It
also
allows
you
to
do
things
like
say:
I
want
this.
This
device
that
I'm
logging
in
on
I
want
it
only
to
have
access
to
X,
Y,
&
Z
or
from
this
signer
range,
or
should
be
read-only
whatever,
whatever
so
some
years
went
by
and
in
the
intervening
time
there
was
a
spec
that
was
written,
which
is
close
but
not
identical
to
what
we're
currently
doing
and
there's
some
nice
features
the
one
of
the
nicest
security
features.
That's
added
I
think
the
only
relevant
security
feature
that
was
added
was
the
use
of
refresh
tokens.
F
So
what
that
means
is
the
token
that
you
get
the
login
token
you
get
is
only
valid
for
some
short
period
of
time.
You
know
say
like
an
hour
and
the
the
you
also
get
a
refresh
token,
and
this
Refresh
token
can
be
used
to
mint
a
new
login
token.
The
reason
why
this
is
valid
is
or
the
why
this
is
useful
is
that
if,
if
a
man-in-the-middle
attack,
you
know
sniffs
your
your
and
can
login
token
and
start
using
it,
then
they
they're.
F
They
only
have
access
for
a
short
window
of
time
and
then
that
login
token
is
no
longer
valid.
And
if
somebody
sniffs
your
refresh
token
and
then
reloads
the
token
with
a
new
one.
Well
now
your
current
one
no
longer
works
right,
because
every
time
the
refresh
token
gets
used,
there's
some
signal
there,
all
right
right.
D
F
F
That
I
think
the
the
action
to
pull
off
of
this
is
is
yeah.
Let's,
let's
get
those
last,
you
know,
let's
get
those
questions
answered,
get
up,
get
a
proper
opinionated
spec
that
says:
do
it
this
way
and
then
make
it
a
backlog
of
work
for
the
NPM
login
process,
project
and
I.
Think
I
think
Amelia
had
said
that
you'd
be
willing
to
even
take
that
on,
but
there
does
need
to
be.
You
know
we
do
need
a
document.
It.
C
Don't
have
much
add
other
than
what's
going
on
in
the
issue
and
I
think
there's
a
lot
of
open
questions.
I
think
this
would
be
worthy
of
the
deep
dive
at
some
point
so
where
I
left
off
was
basically
trying
to
push
for
this,
don't
put
it
in
package
lock
in
package,
Jason,
I.
Think
Isaac,
you
were
you
brought
up
a
lot
of
really
good
points,
but
I
still
ultimately
think
I,
disagree
and
I
think
that
it
shouldn't
be
but
I
you
know
I
going
over.
C
A
F
F
F
F
So
there's
you
know
there
are
the
needs
of
the
the
Netflix's
and
IBM's
of
the
world
and
then
there's
also
the
needs
of
the
you
know
the
battles
and
the
load
ashes
and
the
and
the
NYC's
and
demos
and
I
want
to
make
sure
if
we
can.
If
we
have
one
feature
that
hits
at
least
the
80%
case
of
those
things,
and
then
we
have
an
additional
thing:
that
sort
of
layers
on
top
of
that
or
provides
a
backbone
for
an
additional
thing
that
that
meets
either
the
corporate
or
the
open
source
needs.
F
G
That's
from
this,
so
I
just
wanted
to
mention
about
my
comment
when
I
initially
saw
this
RFC
I
kind
of
saw
this
as
a
way
to
with
NYC.
What
we
have
is
NYC
has
its
own
repo
and
the
Istanbul
libraries
that
it
builds
upon
are
in
a
mono
repo,
and
one
of
the
pains
of
the
workflow
is
that
I
can't
test
NYC
against
patent
Bowl
without
publishing
to
next
and
when
I
initially
saw
this
I
kind
of
saw
an
opportunity
to
essentially
push
it
on
the
side.
E
E
Rather
that
is
specifically
installing
from
a
subdirectory
get
its
that
commit
--is--
issue,
I,
don't
know
if
you're
called
Darcy,
and
so
it's
effectively
saying
that
I
would
like
to
give
it
I
get
URL
with
this
committee
SH
that
points
to
a
folder
in
a
github
thing,
repo
and
then
inside
that
folder
will
be
a
package
Jason
that
you
can
then
read
and
stuff,
and
that
becomes
sort
of
a
pack
youment
of
the
thing.
But
there's
no
such
it's.
Currently,
no
such
kids
spec
for
it
so
we'd
be
inventing
something
and
so
I
think.
E
That's
the
reason
that
it's
sort
of
fall
into
the
bottom
of
list,
but
yeah
that
would
be
it
would
be
interesting
if,
if
that's
all
some
of
the
use
cases,
then
also
perhaps
tej
Isaac,
to
your
point,
perhaps
we
can
find
a
balance
between
these
two
things.
It'll
solve
like
a
percent
or
the
whole
thing,
depending
on
the
use
cases.
E
That's
I'm
thinking
of
a
different
one.
Let
me
see
if
I
can
dig
it
up.
A
But
this
is
specifically
what
you
were
speaking
to
yes,
Cory
yeah,
if
we
solve
for
that,
then
we
solve
for
that
use
case.
Okay,.
F
G
Yeah
and
looking
at
issue
528,
the
suggested
URL
that
they
used
won't
work
because
we
can't
disambiguate
at
one
point
I
kind
of
looked
into.
There
are
specific
characters
that
are
basically
not
allowed
to
be
emitted
or
branch
names.
So
I
think
we
would
have
to
use
one
of
those
as
a
token
to
separate
the
branch
from
kind
of
additional
parameters.
So
you
would
install
you,
know,
get
URL
hash,
symbol,
branch
and
then
maybe
another
hash
symbol
and
directory
equals.
F
Yeah
I
think
this
is
just
this
just
needs
to
be
specked
out
in
IRC.
It
can
be,
it
can
be
a
short
RFC
and-
and
we
probably
it'll,
probably
be
somewhat
uncontroversial.
It's
just.
We
need
to
have
that
written
down
and
then
everybody
thumbs
up
it
and
the
implementation
is
probably
pretty
easy
in
in
the
post
of
get
info
repo.
E
G
A
Moving
on
then,
and
we'll
identify
a
should
be
identified
that
we
should
do
a
deep
dive
on
just
the
rest
of
that
RFC,
specifically
for
staged
releases
or
staged
packages,
package,
publish
workflow
item,
eats
RC
number
90,
reduce
lifecycle,
scripts
environment
science.
I
know
that
there
was
we've
talked
about
this
before
and
as
I
know
that
you
would
have
commented
in
this
before
where
we
are
with
this
I
think
you
already
gave
an
update
in
the
last
RC
call
I'm,
not
sure
if
the
anything
has
changed.
Yeah.
F
I
did
I,
don't
think
anything
has
changed.
There
are
some.
There
are
some
implementation
details
that
were
we're,
gonna
be
going
through
and
doing.
As
far
as
the
you
know,
the
package
specific
information
that
we
put
into
the
environment-
that's
all
currently
already
handled
by
by
arborist
and
I've,
been
using
that
to
install
stuff
here
and
there
and
seems
to
seem
to
work
actually
for
all
the
packages
that
are
that
were
referenced.
The
place
where
it
does
get
a
little
bit
more
involved
is
just
telling
the
seal
having
the
CLI
set.
F
Everything
in
the
sea,
lions,
environment
win
it
when
it
spins
up,
which
will
then
be
inherited
by
the
by
the
child
process,
and
we
need
to
port
everything
from
using
NPM
lifecycle
to
using
at
and
comply
slash
run.
Script
is.
F
A
F
F
A
F
F
It's
not
really
clear
like
which
ones
are
essential,
which
ones
aren't
I
I,
would
be
I'd,
be
really
surprised
if
anybody's
using
like
NPM
underscore
package.
Underscore
authors
underscore
seventeen
right
like
that's,
that's
actually
not
very
useful,
but
I.
Think
that
there's
you
know
name
or
description
like
the
only
the
only
place
I've
seen
somebody
use
NPM
NPM
package
description
as
a
as
an
environment
variable
to
know
what
to
do
was
a
malware
attack
that
was
trying
to
target
point
base
right.
F
It's
sort
of
like
I
I,
don't
know
I
I,
don't
think
there's
any
valid
use
case
for
it
to
be
honest
and
I
I'm
always
sort
of
suspicious
when
I
hear
other
people
say
that
so
I
can
understand
getting
some
pushback
on
saying
that
there's
no
valid
use
case.
But
like
honestly,
we've
looked,
and
the
only
thing
we
found
is
this
is,
is
install
or
is
publish
repo,
which
you
know
if
we
just
say
like
this
look.
This
is
the
command
we're
running
yeah
then,
actually,
that's
a
way
better
way
to
determine.
A
Be
way
faster
than
it
are
be
anyway:
wait
yeah,
that's
going
to
vary
costume,
cool
okay,
so
we
can
pull
that
off
and
take
off
the
agenda
label
and
get
hopefully
that
ratified
them
later
today.
If
you've
got
time
or
sometime
this
week,
awesome
moving
on
sign
documents,
I'm,
not
sure,
West's
and
evil
join
a
while
I'm,
not
sure
or
sorry
will
so
yeah
yeah.
C
A
A
A
C
I
think
that
part
of
it
is
there's
two
parts
right.
So
there's
the
CLI
implementation
part,
which
is
just
implementing
fetching
the
the
signature.
If
it
you
know,
if
it
exists
and
then
validating
it,
could
we
can
that
move
forward
independently
of
NPM
providing
signatures
for
all
the
packages
right
and.
A
C
F
F
F
Problem
there
or
the
the
the
potential
gotcha
there
is
just
we're
looking
at
two
downloads
now,
instead
of
one
right
and
if
the,
if
the
and
I
want
to
make
sure
that,
if
we're
adding
I
mean
if
we're
adding
some,
that
much
overhead,
which
is
a
lot
of
overhead
right,
we're
talking
about
doubling
install
times
potentially
on
an
empty
cache.
Well,.
C
To
be
clear
here,
that's
to
two
factors
there
one
is,
it
should
be
done
in
parallel
to
fetching
the
PACU
man
right
or
it's
part
of
actually
nevermind.
Let
me
take
one
step
back.
It's
not
even
two
requests
in
one
of
his
proposals
here,
which
is
to
have
it
returned
as
a
header
on
the
PACU
min
itself
right.
So
it's
just
the
one
request
for
the
PACU
mint.
It
would
just
be
that
the
PACU
man
would
include
the
signature
in
the
it
like
he
proposed
X
NPM,
signature,
header
yeah.
We
yeah.
C
F
C
Not
other
options,
registry
keys
register
key
right,
so
this
is
your
registry
key
would
sign
the
PACU
mint
saying
that
the
contents
of
the
pack
Yuman,
which,
because
the
integrity
check,
is
based
on
a
value
from
the
document.
We
actually
can't
really
trust
today,
if
there's
anybody
sitting
in
between
us
and
the
registry
right
which
Somen
the
middle
attack
is
sort
of
the
part
of
the
vector,
but
also
as
well
as
registry
proxies,
you
know,
are
very
peeler.
Technically
you
don't
have
any
trust
mechanism
for
the
registry
proxy
today.
F
So
let's
say
then
we
so
then
signing
the
pact.
You
MIT
seiner.
The
PACU
MIT
feels
like
an
unnecessary
step.
Then
right,
if
we're
not
worried
about,
if
we're
just
talking
about
the
registry
key,
if
I,
if
I,
have
a
signature
of
the
pact
Youmans
and
I've
men
in
the
middle,
the
the
registry
and
I'm
the
one
giving
you
the
pub
key
I
can
just
give
you
my
pub
key
and
my
signature
of
it,
like
you,
haven't
actually
protected
against
the
man
in
the
middle
attack
at
the
registry.
C
F
Which
is
the
attack
right,
so
I
think
a
good,
a
good
sort
of
next
step
on
this,
rather
than
just
adding
more
signatures
to
more
places.
You
know
we
have,
let's
say
we're.
Let's
say
you
get
the
you
get
the
on
camera
district
key
from
kiba's
today
and
then-
and
we
add
the
capability
to
check
the
signatures
of
the
integrity
values
that
are
in
the
packing
that
a
if
we
do
that
without
any
additional
work
on
the
registry
side.
But
just
this
that's
entirely
a
CLI
change.
F
If
we
do
that,
then
I
can
let's
say
I'm
an
in
the
middle.
The
registry
I
can't
I
can't
actually
serve
you
an
invalid
tarball,
because
the
integrity
is
gonna
be
different
and
there
will
be
an
invalid
signature
of
it
right
and
I
can't
fake
that
signature,
because
I
can't
get
the
registries
private
key.
C
Okay,
so
what
if
yeah
okay
I
think
that's.
C
More
than
just
turning
a
certain
in
Valtor
ball,
what
about
serving
an
invalid
package
metadata
right
so
saying
a
version
exists
that
doesn't
exist
or
something
to
that
effect
right
or
filtering
out
a
version
yeah
exactly
right,
so
picking
out
a
version
that
is
a
security
fix
that
you're
relying
on
to
exploit
right.
So.
C
But
they're
doing
that
at
a
registry
proxy
layer,
so
this
would
actually
they
would
then
be
able
to
provide
a
key
for
their
registry
proxy
right,
which
would
be
doing
this.
This
pack,
you
meant
altering,
so
that's
actually
an
important
feature
here.
Would
they
would
then
be
able
to
validate
that
the
pack
ument
they
got?
Is
the
one
that
their
registry
proxy
generated,
not
the
one
from
public
NPM,
because
they're,
relying
on
it
not
being
the
one
from
public
NPM
right.
F
C
That
would
be
the
intent
right,
because
then
the
people
who
are
running
the
proxy
can
just
tell
their
users.
Hey
add
this
now
you
know
that
you're
always
you
know,
you
can
add
it
to
your
global
and
PMRC,
and
that
would
effectively
mean
that
they
can't
accidentally
call
to
public
NPM,
if
they're
not
intended
to
do
so
right
right.
So
any
so.
F
Many
registry
proxy
essentially
needs
to
you
know
and
I
I.
Don't
I
didn't
see
this
called
out,
but
just
the
sort
of
highlight
the
thing
we
just
said
any
registry
proxy
in
assigned
packing
mint
world.
Any
registry
proxy
has
to
either
strip
the
signature
from
the
header
or
they
have
to
provide
their
own
signature,
which
the
user
has
added
to
their
own
PMRC
out-of-band.
C
C
F
I
wrong
on
that
they
don't
all
have
to
be
able
to
change
the
packing
minute
right.
You
could
be,
you
could
be
proxying
and
just
proxying
so
that
you
can
like
have
your
own
private
packages,
but
anything
public
just
comes
from
the
registry.
Yes,.
F
I
guess
the
the
only
thing
that
I'm
bringing
up
as
a
concern,
I
I,
don't
think
there's
no
way
to
address
it,
but
it's
a
concern
that
would
have
to
be
addressed
if
we
were
to
move
forward
with
this.
Is
that
added
complexity
in
running
your
own
proxy?
It
would
get
it
would
be.
A
nonzero
amount,
more
work
to
run
a
registry
proxy
I.
Don't
think
it's
an
insurmountable!
It's
just
that
as
an
additional
thing.
They'd
have
to
do.
C
F
C
F
F
So
the
other,
the
other
thing
where
I'm
I'm
just
get
back
to
think
what
is
the
different,
the
Delta
in
the
threat
model
between
what
a
sign
packing
that
protects
you
from
versus
what
sign
versions
signed,
artifacts
protect
you
from
and
the
only
Delta
is
really
a
modification
in
which
packages
are
available.
I!
F
A
Just
I
want
to
make
sure
that
we
got
two
koreas.
Two
items
here:
PR
sent
me
to
accept
dependencies
and
a
package.json
as
well
as
the
issue
506
for
NPM
audit
I
want
to
make
sure
we
got
to
those
since
the
next
item.
Essentially
the
prompt
for
module
type
I,
think
that
is
an
update
that
I
can
give
quickly.
A
There
we've
been
looking
to
try
to
get
the
create
package,
PKG
package
name
freed
up
and
given
back
to
the
package,
just
working
our
package
maintenance
working
group,
so
a
package
org,
which
I
think
we'll
solve
for
provide
a
means
of
allowing
some
sort
of
user
land
tooling
to
to
solve.
For
let's
say
the
module
prompt,
so
I
think
that's,
unlike
an
update
there
and
I'll
actually
add
an
update
in
the
actual
ticket
itself.
G
Not
really
not
really
sure
I
mean
they're,
honestly
they're,
both
pretty
important
to
me.
The
goal
of
accept
dependencies
is
somewhat
the
same
as
yarns
resolutions
feature.
The
big
difference
is
that
as
a
consumer
of
some
package,
I,
don't
necessarily
know
that
that
package
is
compatible
with
an
updated
version
of
the
script.
G
But
the
author
knows,
if
it's
compatible
or
not,
and
in
the
situation
where
the
author's
holding
back
the
dependency
to
support
old
nodejs
versions,
I'd
like
for
them
to
have
the
ability
to
publish
a
package
that
will
allow
my
program
to
run
with
latest
stuff
in
current
versions
of
nodejs.
So
the
idea
is
that,
if
I
install
an
application
that
has
many
dependencies,
if
one
of
my
dependencies
has
an
updated
version
and
another
dependency
requires
an
old
version
but
allows
the
new
version,
then
I
want
everything
to
deduplicate
to
just
use
the
new
version.
E
F
A
I'm
gonna
label-
probably
them
awesome,
okay,
let's
that's
great
then
I.
Can
you
maybe
speak
to
then
Corey
I
know
this
is
beyond
our
our
agenda
for
a
while
now
and
don't
think
you've
been
able
to
join
until
now.
The
bugger
issue
number
506
against
the
CLI
MPM
audit
places
false
blame
I'm,
not
sure.
If
you
can
speak
to
this
specific
situation
or
you.
G
G
We
use
ember
arranges.
All
of
the
security
fixes
are
in
range,
so
there
is
no
bug
in
NYC
or
any
dependency.
The
bug
is
in
the
users
package
Jason
or
excuse
me
package
lock,
dot
JSON.
So
to
me
the
issue
is
that
the
NPM
audit
is
naming.
Nyc
is
the
problem.
When
it's
not
the
problem,
is
you
know
that
user
has
an
outdated
and
vulnerable
package
lock.
C
The
result
you're
talking
about
is
a
very
specific
case,
but
a
very
common
problem
is
that
the
package
lock
like
transitive
czar
just
out
of
date
and
there's
no
good
guidance
given
like
during
any
of
the
steps,
the
normal
workflow
steps
that
folks
go
through.
That
would
tell
them
this
right
so
like
if
it
just
said
like
at
some
point.
Oh,
it
looks
like
you're.
You
know
you,
you
might
want
to
take
a
look
at
your
package
lock,
because
you've
got
a
bunch
of
out-of-date
transitive
by
No,
none
of
the
name,
main
processes.
C
People
go
through
when
I
say
main
process,
I
mean
like
npm
install'
right
indicate
to
them
that
they
should
take
a
look
at
it.
So
I
found
in
projects
like
internally,
especially
when
they
haven't
been
touched
in
six
months,
and
somebody
comes
in
they're,
actually
running
tons
of
out-of-date
stuff
right
and
even
if
you
ran
and
Pizzo.
If
you
like,
for
example,
take
NPM
update
on
Express,
you
actually
have
to
run
it
three
times
to
get
it
to
top.
Stop
telling
you
that
there's
some
out-of-date
stuff
I
actually
think
even
on
the
third
time.
C
F
A
couple
of
things,
first
of
all,
NPM
update
in
I
believe
it
started
in
and
can
be
five
and
it
win,
and
it's
been
the
case
in
five
to
six
and
him
update
only
updates
your
first
level
of
dependencies
and-
and
it
has
this
depth
field
that
you
can
do
to
say.
Oh
go,
you
know
one
layer
deeper
or
whatever
pretty
common,
for
people
to
do.
Npm
update
depth
equals
nine
nine
to
nine
or
whatever
I
when
I
was
getting
into
this
with.
F
You
know,
it's
some
some
brief
history
on
that
it
made
sense
back
before
we
did
any
deduplication
by
default,
because
depth
literally
meant
how
deep
into
the
folder
tree
are.
You
hey?
There
was
some
actual
thing
that
was
depth
and
then
in
NPM
v3,
in
order
to
try
and
sort
of
keep
the
same
kind
of
impact
on
the
depth
now
refers
to
the
logical
tree
rather
than
the
physical
tree,
or
the
logical
graph
excuse
me
rather
than
the
physical
tree.
F
The
problem
there
is
that
that's
a
graph
doesn't
have
depth
a
graph,
has
distance
and
so
and
calculating
that
distance
is
very
there's
some
arbitrary
choices
to
be
made
there.
So
the
result
is
essentially
we've
gotten
ourselves
to
a
point
where
NPM
update
being
limited
by
depth
makes
no
sense
and
there's
no
rational
way
to
wrap
your
head
around
it
for
NPM,
b7
and
I
ran
into
this
when
trying
to
re-implement
this
an
arborist
and
just
realizing
like
wait,
a
second
bonkers,
so
npm
b7,
if
you
run
npm
update,
it,
will
update
your
whole
tree.
F
Right
so
it'll
kind
of
start
by
updating
all
those
things
and
then
anything,
that's
no
longer
valid
it'll
fix.
So
what
this
means
is
we
can
actually
change
our
income
audit
results
to
instead
of
saying.
Oh,
this
is
a
problem
with
handlebars
and
actually
it's
a
problem
with
NYC
with
tap
stroke,
NYC
stroke,
something
else,
stroke,
Istanbul
reports,
stroke,
handlebars
right
in
a
way
that
makes
it
look
like
it's
a
tap
or
an
NYC
problem
and
instead
just
say,
there's
a
problem
with
handlebars.
A
A
G
A
I
got
it
we'll
see
what
we
can
do,
though,
and
if
we
can
follow
up
with
some
more
comments
in
that
thread
of
the
ideal.
So
again,
I
appreciate
folks
we're
in
a
few
over
here.
I
also
got
kicked
off
a
couple
minutes
late,
so
I
appreciate
the
patience
again
feel
free
to
give
comments
and
feedback
to
us
in
the
open
poll
that
we
have
going
for.
The
alternating
call
I
think
that's
again
to
get
our
issue.
105
and
I
appreciate
everybody
jumping
on
today,
and
thanks
for
joining
us
ciao.