Do I need to copy-paste stuff form ".gitignore" to ".npmignore"

Question

So I was reading this.

And I'm a bit confuse how it's works, as I understood it:

If I only have .gitignore in my repo npm will use .gitignore but If I have both .gitignore and .npmignore npm will only read .npmignore, right? Or it will read both?

Need to know, if it's only reading .npmignore I have to copy-paste stuff from .gitignore as well.

Answer 1

Or will it read both?

As mentioned here, it will only read the .npmignore

If you want to include something that is excluded by your .gitignore file, you can create an empty .npmignore file to override it.

Although, Jeff Dickey advocates for: "For the love of god, don’t use .npmignore"

However, what you probably don’t know is that my little action of adding the npmignore file actually causes npm to now consult that file instead of the gitignore files.
This is a major issue—I’ve now leaked all my AWS credentials out to the public just by adding this .npmignore to hide my test directory.

What’s worse is I probably have no idea this happened. npm publish doesn’t show the files that were packed (it actually does with npm 6).
I don’t see the files on the npm registry.

The only real way to see the files is by adding the package to a project and manually looking inside node_modules. I might do that someday out of curiosity and discover my AWS credentials have been sitting out in the open for months.

Solution/safer alternative:

npm supports whitelisting though, just add a files attribute to package.json with everything you intend to add to the project.
Now only the files that are specified in files will be included in the project and your dotfiles will be ignored.