So I was reading this.
And I'm a bit confuse how it's works, as I understood it:
If I only have .gitignore in my repo npm will use .gitignore but If I have both .gitignore and .npmignore npm will only read .npmignore, right? Or it will read both?
Need to know, if it's only reading .npmignore I have to copy-paste stuff from .gitignore as well.
Or will it read both?
As mentioned here, it will only read the .npmignore
If you want to include something that is excluded by your
.gitignorefile, you can create an empty.npmignorefile to override it.
Although, Jeff Dickey advocates for: "For the love of god, don’t use .npmignore"
However, what you probably don’t know is that my little action of adding the npmignore file actually causes
npmto now consult that file instead of the gitignore files.
This is a major issue—I’ve now leaked all my AWS credentials out to the public just by adding this.npmignoreto hide my test directory.
What’s worse is I probably have no idea this happened.
npm publishdoesn’t show the files that were packed (it actually does with npm 6).
I don’t see the files on the npm registry.
The only real way to see the files is by adding the package to a project and manually looking inside node_modules. I might do that someday out of curiosity and discover my AWS credentials have been sitting out in the open for months.
Solution/safer alternative:
npmsupports whitelisting though, just add a files attribute topackage.jsonwith everything you intend to add to the project.
Now only the files that are specified in files will be included in the project and your dotfiles will be ignored.