我是否需要将“.gitignore”的内容复制粘贴到“.npmignore”
Do I need to copy-paste stuff form ".gitignore" to ".npmignore"
所以我正在阅读 this。
而且我对它的工作原理有点困惑,据我了解:
如果我的回购中只有 .gitignore npm 将使用 .gitignore 但如果我同时拥有 .gitignore 和 .npmignore npm 将只读取 .npmignore , 正确的?或者它会读取两者?
需要知道,如果它只是阅读 .npmignore 我也必须从 .gitignore 复制粘贴内容。
Or it will read both
作为mentioned here,它将只读取.npmignore
If you want to include something that is excluded by your .gitignore file, you can create an empty .npmignore file to override it.
虽然,Jeff Dickey advocates for: "For the love of god, don’t use .npmignore
However, what you probably don’t know is that my little action of adding the npmignore file actually causes npm to now consult that file instead of the gitignore files.
This is a major issue—I’ve now leaked all my AWS credentials out to the public just by adding this .npmignore to hide my test directory.
What’s worse is I probably have no idea this happened. npm publish doesn’t show the files that were packed (it actually does with npm 6).
I don’t see the files on the npm registry.
The only real way to see the files is by adding the package to a project and manually looking inside node_modules.
I might do that someday out of curiosity and discover my AWS credentials have been sitting out in the open for months.
Solution/safer备选方案:
npm supports whitelisting though, just add a files attribute to package.json with everything you intend to add to the project.
Now only the files that are specified in files will be included in the project and your dotfiles will be ignored.
所以我正在阅读 this。
而且我对它的工作原理有点困惑,据我了解:
如果我的回购中只有 .gitignore npm 将使用 .gitignore 但如果我同时拥有 .gitignore 和 .npmignore npm 将只读取 .npmignore , 正确的?或者它会读取两者?
需要知道,如果它只是阅读 .npmignore 我也必须从 .gitignore 复制粘贴内容。
Or it will read both
作为mentioned here,它将只读取.npmignore
If you want to include something that is excluded by your
.gitignorefile, you can create an empty.npmignorefile to override it.
虽然,Jeff Dickey advocates for: "For the love of god, don’t use .npmignore
However, what you probably don’t know is that my little action of adding the npmignore file actually causes
npmto now consult that file instead of the gitignore files.
This is a major issue—I’ve now leaked all my AWS credentials out to the public just by adding this.npmignoreto hide my test directory.What’s worse is I probably have no idea this happened.
npm publishdoesn’t show the files that were packed (it actually does with npm 6).
I don’t see the files on the npm registry.The only real way to see the files is by adding the package to a project and manually looking inside node_modules. I might do that someday out of curiosity and discover my AWS credentials have been sitting out in the open for months.
Solution/safer备选方案:
npmsupports whitelisting though, just add a files attribute topackage.jsonwith everything you intend to add to the project.
Now only the files that are specified in files will be included in the project and your dotfiles will be ignored.