3

So I was reading this.

And I'm a bit confuse how it's works, as I understood it:

If I only have .gitignore in my repo npm will use .gitignore but If I have both .gitignore and .npmignore npm will only read .npmignore, right? Or it will read both?

Need to know, if it's only reading .npmignore I have to copy-paste stuff from .gitignore as well.

Bromer
  • 53
  • 2

1 Answers1

4

Or will it read both?

As mentioned here, it will only read the .npmignore

If you want to include something that is excluded by your .gitignore file, you can create an empty .npmignore file to override it.

Although, Jeff Dickey advocates for: "For the love of god, don’t use .npmignore"

However, what you probably don’t know is that my little action of adding the npmignore file actually causes npm to now consult that file instead of the gitignore files.
This is a major issue—I’ve now leaked all my AWS credentials out to the public just by adding this .npmignore to hide my test directory.

What’s worse is I probably have no idea this happened. npm publish doesn’t show the files that were packed (it actually does with npm 6).
I don’t see the files on the npm registry.

The only real way to see the files is by adding the package to a project and manually looking inside node_modules. I might do that someday out of curiosity and discover my AWS credentials have been sitting out in the open for months.

Solution/safer alternative:

npm supports whitelisting though, just add a files attribute to package.json with everything you intend to add to the project.
Now only the files that are specified in files will be included in the project and your dotfiles will be ignored.

KyleMit
  • 30,350
  • 66
  • 462
  • 664
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Let's say I have this `test*` in my `.gitignore` and I have this `test* .github`in `.npmignore`, so I'm fine then? it will not push anything coints `test*` to github and won't publish to npm and also it won't publish `.github` folder to npm, correct? – Bromer Nov 24 '19 at 08:14
  • also you forgot to paste first link: `As [mentioned here][1], it will read only the .npmignore` – Bromer Nov 24 '19 at 08:14
  • @Bromer Yes, but do not use npmignore, as explained. – VonC Nov 24 '19 at 08:22
  • My opinion of Node's maturity sinks even lower. – Peter Wood Nov 24 '19 at 08:27
  • I read that article, author's issue was what he didn't knew what npm ignores `.gitignore` file if there is `.npmignore` file which is stupid from npm. But it doesn't make any sense for me to whitelist files in my user case since only 5-10% of files have to be ignored. – Bromer Nov 24 '19 at 08:31