suggest "npmignore or files" instead of just files

[ljharb]

Using files is dangerous, because if you forget to include something, you break people - whereas if you use npmignore and forget to include something, you just publish something extra and unused.

At the least, could the relevant suggestions be agnostic about which mechanism is used to select which files are published?

[bluwy]

Showing files only is intentional as I'd like to encourage authors to publish files that are only needed and respect the users' network bandwidth. The same could be said when adding new files that were not meant to be published too. If they prefer to use .npmignore, the rules documentation for the suggestion has a link that indirectly points to it, so I prefer to keep it the way it is for now.

[ljharb]

that's unfortunate, since "publish only files that are needed", and the user's network bandwith, is much much less important than protecting the user's runtime application by keeping it working.

it's npm's job to manage bandwith, not individual package authors.

[bluwy]

Both are certainly equally important and package maintainers should equally prioritise them before publishing packages. But I think .npmignore gives the bigger leeway to make mistakes without an easy way to identify them.

[ljharb]

I don't agree they're equally important; correctness is far more important than a largely infinite resource.

files gives a bigger leeway to make a mistake that uses less bandwith but breaks an application; npmignore gives a bigger leeway to make a mistake that uses more bandwith but has no other impact on an application.

Downtime is infinitely more expensive than bandwith, thus, npmignore is the safer and better approach.