所以我在读this .
据我所知,我对它的工作原理有点困惑:
如果我的 repo 中只有 .gitignore
,npm 将使用 .gitignore
但如果我同时有 .gitignore
和 。 npmignore
npm 只会读取 .npmignore
,对吧?或者它会读取两者?
需要知道,如果它只是读取 .npmignore
,我还必须从 .gitignore
复制粘贴内容。
最佳答案
Or it will read both
作为mentioned here , 它只会读取 .npmignore
If you want to include something that is excluded by your
.gitignore
file, you can create an empty.npmignore
file to override it.
虽然,Jeff Dickey提倡:“For the love of god, don’t use .npmignore”
However, what you probably don’t know is that my little action of adding the npmignore file actually causes
npm
to now consult that file instead of the gitignore files.
This is a major issue—I’ve now leaked all my AWS credentials out to the public just by adding this.npmignore
to hide my test directory.What’s worse is I probably have no idea this happened.
npm publish
doesn’t show the files that were packed (it actually does with npm 6).
I don’t see the files on the npm registry.The only real way to see the files is by adding the package to a project and manually looking inside node_modules. I might do that someday out of curiosity and discover my AWS credentials have been sitting out in the open for months.
解决方案/更安全的替代方案:
npm
supports whitelisting though, just add a files attribute topackage.json
with everything you intend to add to the project.
Now only the files that are specified in files will be included in the project and your dotfiles will be ignored.
关于npm - 我需要从 ".gitignore"复制粘贴内容到 ".npmignore",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59015606/