Include only tracked files with npm publish

Question

By default all files are published from package directory with

npm publish .

even if they are not tracked by Git. Untracked files can be random temporary files that aren't covered by .gitignore or .npmignore and may include sensitive data.

Is there a way to avoid untracked files from being accidentally published?

Answer 1

I do something similar to what @phd suggests which is to do a clean clone. The only difference is that I do it on my local machine.

This is how I do it:

set -euo pipefail

function publish() {
    local path="$PWD";
    local tmp;
    tmp="$(mktemp -d)";
    cd "$tmp";
    git init;
    git remote add origin "$path/.git";
    git fetch origin;
    git checkout "${1:-$BRANCH}"
    cd "$tmp";
    npm i;
    npm audit;
    npm t;
    [[ -z "$(git status -s)" ]] || {
        echo "aborting publish: contains uncommited files."
        exit 1
    };
    npm publish
}

You can see the full script over at https://github.com/bas080/git-npm/blob/master/lib/git-npm

Answer 2

Do not publish from your working repository. Clone a clean repo and publish from it. When you have new development just update the clean repo with git pull and publish again. The clean repo could be a repo at Continuous Integration server so if all tests passed CI server publishes automatically.

Answer 3

I think you need to try publish-please as replacement:

As it claimed, it will do a lot of validations before publishing to the registry.

Check that there are no untracked files in the working tree.