Concern: npm packages using HTTPS imports.
Posting this to link discussion from @ljharb in nodejs/node#36328 (comment) re implications for supporting in node_modules.
Personally I would be concerned about npm packages being published that use HTTPS imports as that very much changes the security model / contract that npm provides to users in being able to comprehensively replicate a module graph via only a node_modules filesystem model.
This likely won't be a problem initially as no one would publish a package to npm that isn't supported in older Node.js versions, but once support reaches all versions, some company might think it's a good way to automatically manage updates / ensure registered code delivery.
While that is already possible today via network based processes and even install hooks, it's a pattern that we have luckily so far avoided from happening too much and I hope we can continue to work towards ensuring strong guarantees around the registry and package contracts that ensure end user agency.
I haven't watched the video so apologies if this is repeating talking points already said, feel free to fill in further here.