attendance: Wes Todd, Blake Embrey, Rand Mckinney, Jean Burellier, Ulises Gascon, Jon Church
Agenda items are currently pulled from issues tagged top-priority
in the Discussions repo
4.18.3
released less than a week ago, has over 2 Million downloads so far.
- There was has been discussion about the cadence being changed, and the attendance policy.
- Jonchurch brought up whether or not the existing TC is okay with the cadence and expectations, as it is a change from the less often meetings before.
Discussion:
- Is the expectation that the full TC attends every meeting?
- Rand agrees that its fair to have an inactivity policy, so long as it is not draconian.
- We don't need to lock on an inactivity policy right now, as we don't really intend to kick people out in the near term for being inactive while we are still figuring out cadence
- Jean says releasing Express v5 should be a prio
- What Node version do we want to support?
- Today v5 is Node v4 minimum supported
- Here is the Migration guide currently on the website for express 5 https://expressjs.com/en/guide/migrating-5.html
- There is an Express LTS issue with discussion about an LTS strategy expressjs/discussions#196
- Wes sees v5 as a stepping stone, and suggests that we write an LTS policy doc, include that v5 is a unique case.
- jean suggests using v14 as the lowest support level for v5
- Ulisses, how long do we want to support v4?
- He would like to see it supported for years to come
- Wes says he'd like to see "no less than a year, ideally 2 years", talking about security patches.
- Jean says, 1 year of maintenance, 2 years of security updates
- Ulises says maybe consider sponsorship from companies who require longer support for security
- What Node version do we want to support?
Decision:
- Support Node 14 for Express 5
- Jean will open a PR with the LTS strategy discussed
Wes created a Github Project to try out using it as a means to track work happening.
- OpenJS Foundation has offered a Security Audit, the kickoff meeting happened already
- There are a lot of questions about what working with them entails, and they are flexible to work how the team wants to
- Wes suggests handing it off to the Security Working Group
- Security WG was created in expressjs/discussions#165
- There will be a public part, streamed meetings. And a private component for WG members, so reports can be triaged in private before a fix is released.
Decision:
- Hand off the Audit to the Security WG.
Rand before he had to leave brought up that there is a lot of Documentation work which needs to be done. We're hoping to leverage the community to swarm on docs, once we know what needs to happen.