whitelist index.js when publishing NPM module#7
whitelist index.js when publishing NPM module#7tobiasbueschel wants to merge 1 commit intojuliangruber:masterfrom tobiasbueschel:master
Conversation
| "homepage": "https://github.com/juliangruber/array-filter", | ||
| "main": "index.js", | ||
| "files": [ | ||
| "index.js" |
There was a problem hiding this comment.
The “files” field is dangerous - the only way published files should ever be restricted is by npmignore.
There was a problem hiding this comment.
I neither agree nor disagree with this statement but is there a particular issue you are thinking of with this project? From what I can see the tests do not test a specific module but the package as a whole (i.e. require('..') vs require('../index.js')) which I think is a really good practice as it will also highlight (although indirectly) any packaging issues.
I suppose files is more of a "publish nothing by default" policy and .npmignore is more of a "publish everything by default" policy. I tend to favour the files option as it somehow mitigate the risk of publishing "secrets" by accident.
There was a problem hiding this comment.
That’s an accurate analysis - there shouldn’t be any secrets in the repo in the first place tho, and rotating secrets is far easier than un breaking millions of downstream builds, which is the (much more problematic) risk of the files option.
these days both GitHub and npm auto-detect many published secrets, and disable the ones they know about. It’s just not a real problem.
Hi @juliangruber,
Thanks for your work with this module!
I noticed that the
testfolder and.travis.ymlare included in the distributed NPM module:Hence, in the spirit of keeping the module size small, this PR whitelists
index.js.