search

TritonDataCenter / node-verror

Rich JavaScript errors
MIT License
1.18k stars 61 forks source link

include only necessary files in npm package #28

Closed deepsweet closed 8 years ago

deepsweet commented 8 years ago 
$ tree node_modules/verror -I node_modules

node_modules/verror
├── examples/
│   ├── levels-verror.js
│   ├── levels-werror.js
│   ├── varargs.js
│   ├── verror.js
│   └── werror.js
├── lib/
│   └── verror.js
├── tests/
│   ├── tst.inherit.js
│   ├── tst.verror.js
│   └── tst.werror.js
├── .gitmodules
├── .npmignore
├── LICENSE
├── Makefile
├── Makefile.targ
├── README.md
├── jsl.node.conf
└── package.json

Loading unnecessary files is one of the reasons npm installs take so darn long. Anton Rudeshko very well put it in his article:

Speaking in terms of object-oriented design, your npm package should be highly cohesive and loosely coupled. Your package should do only one thing and do it well.

Corey Butler also wrote a nice article about why it's important to minimize module footprints, including test suite:

In the rare situation a developer actually wants to run your test suite on their own local computer, they'll likely clone or fork it.

Also see NPM docs for details about files field in package.json.

davepacheco commented 8 years ago

Thanks for this. Isn't this more robustly done with .npmignore? That way if we add new files later, we don't have to remember to update package.json before publish (something we would almost certainly not notice, since everything would work correctly locally).

trentm commented 8 years ago

FWIW, I typically do it with .npmignore.

The only thing to watch there, I think, is that with a .npmignore file around, something about "only files git knows about" (whether that is via .gitignore or 'git ls-files') isn't processed by npm. Meaning that a temp file sitting around that isn't in git, will be included in the npm published package. I typically have a guard on my 'npm publish' calls to ensure that 'git status' is clean, e.g.: https://github.com/joyent/node-triton/blob/master/Makefile#L57

deepsweet commented 8 years ago

in my own opinion whitelisting with files: [] is more secure than blacklisting with .npmignore. I saw an examples when .idea folder was published just because it's hard to remember that you have to "sync" .npmignore with .gitignore. something like remote-ftp config with password would be more serious.

if you forgot to include something than your patch version will be quick and easy. if you forgot to exclude something important than it will leak without any "undo" guarantee.

anyway, feel free to use .npmignore if you like this way. I just wanted to say that examples/, test/ and few files from root dir are not necessary to be published :)

davepacheco commented 8 years ago

Thanks for that. Closing in favor of #34 (based on npmignore).