doc: add minutes for meeting 28 January

[mhdawson]

No description provided.

[dominykas]

Missed the call due to an epic 🤦‍♂️, but I can see a related discussion - coincidentally last week I implemented this: https://www.npmjs.com/package/allow-scripts

tl;dr:

• add allowScripts: { pkg: versionRange } in your package.json
• npm install --ignore-scripts or yarn install --ignore-scripts
• npx allow-scripts

fwiw, I hope I can deprecate that package soon, as --ignore-scripts + allowScripts should be the default in the package installers.

Not sure how much in scope this is for package-maintenance, probably more of a Security WG thing (will try to find a relevant issue there...)

[ljharb]

@dominykas you'd have to pursue that change in both npm and yarn.

[dominykas]

Yarn already has an RFC PR for that, npm has the thread that was mentioned in the call - this can serve as a userland ref/PoC impl to get the standards rolling (it does solve a need at work for me).

I agree security wg doesn't have levers to pull this off, but advocacy and awareness is still useful? And --ignore-scripts as a best practice (at least in CI) is also recommendable?

(Are we going borderline offtopic?)