lfarrel6
commented
2 years ago Is there any timeline on when this can be merged and included in a release?
The yarn.lock being included in the released package incorrectly triggers vulnerability scanners.
Open styfle opened 2 years ago
lfarrel6
commented
2 years ago Is there any timeline on when this can be merged and included in a release?
The yarn.lock being included in the released package incorrectly triggers vulnerability scanners.
styfle
commented
2 years ago cc @garycourt
MFTabriz
commented
2 years ago I have complained about this to my poor colleague without knowing it’s your package that’s shipping this. You owe him an apology! 😉
jorrit
commented
2 years ago I think the entire files section can be removed. Most files it mentions are always included in the NPM package, even when not specified. Also, as this bug demonstrates, having .npmignore and files is confusing.
prajwalmr62
commented
1 year ago @garycourt can this be merged? We are also facing issues with vulnerability scanners due to this lock file.
This was already ignored in
.npmignorebut was still published to npm due tofilesin package.json