Closed deepsweet closed 8 years ago
Thanks for this. Isn't this more robustly done with .npmignore? That way if we add new files later, we don't have to remember to update package.json before publish (something we would almost certainly not notice, since everything would work correctly locally).
FWIW, I typically do it with .npmignore.
The only thing to watch there, I think, is that with a .npmignore file around, something about "only files git knows about" (whether that is via .gitignore or 'git ls-files') isn't processed by npm. Meaning that a temp file sitting around that isn't in git, will be included in the npm published package. I typically have a guard on my 'npm publish' calls to ensure that 'git status' is clean, e.g.: https://github.com/joyent/node-triton/blob/master/Makefile#L57
in my own opinion whitelisting with files: []
is more secure than blacklisting with .npmignore
. I saw an examples when .idea
folder was published just because it's hard to remember that you have to "sync" .npmignore
with .gitignore
. something like remote-ftp config with password would be more serious.
if you forgot to include something than your patch version will be quick and easy. if you forgot to exclude something important than it will leak without any "undo" guarantee.
anyway, feel free to use .npmignore
if you like this way. I just wanted to say that examples/
, test/
and few files from root dir are not necessary to be published :)
Thanks for that. Closing in favor of #34 (based on npmignore).
Loading unnecessary files is one of the reasons
npm install
s take so darn long. Anton Rudeshko very well put it in his article:Corey Butler also wrote a nice article about why it's important to minimize module footprints, including test suite:
Also see NPM docs for details about
files
field inpackage.json
.