`npm pack` includes .git directory?


(Kagami Sascha Rosylight) #1

What I Wanted to Do

npm pack must not include .git/.

What Happened Instead

It does!

Reproduction Steps

> git clone https://github.com/saschanaz/scroll-agnostic-timeline
> cd scroll-agnostic-timeline
> git checkout v1.1.0
> npm pack


Platform Info

$ npm --versions
{ 'scroll-agnostic-timeline': '1.1.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.9.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

(Lars Willighagen) #2

This also seems to happen for other similar patterns:

**/.npmrc works fine for me, so perhaps it’s particularly sub-directories. Also, I can’t reproduce it on a simple repository, and copied package.json and .gitignore didn’t seem to be the cause in my tests.

(Kat Marchán) #3

I suspect one of the !-prefixed bits in your .gitignore is triggering this. /cc @isaacs

(Lars Willighagen) #4

Yep, not sure why I missed that when testing. The offending pattern seems to be:


Which matches .git for some reason when dot is enabled: https://runkit.com/larsgw/minimatch-glob-problem


Right, is isn’t dot (that’s just needed to make it work for .{git,svn,hg} and not just CVS. The problem, I think, is the partial parameter in Minimatcher#match, and that it matches whether the pattern could be a subdirectory of .git, which it can, and can be for any directory since it starts with **/.

Edit 2

The partial parameter is added here to check for directories, and I’m not sure why, but it’s been there for at least a year, so I don’t know if that’s the problem.

Edit 3

My understanding, after way longer than it should have been, my conclusion is that the offending rule ‘unlocks’ the normally locked directories to be traversed to check what files to include. Since the default pattern only blocks the directory and not files in it, these files are then included by default. I’m not sure if there’s a fix for this that doesn’t break manual inclusion of .git repositories, or more specifically their subdirectories.

(Lars Willighagen) #5

I made a PR:

I don’t know if it’s the best solution, as it may break some configs: rules like !.git would have to be replaced by !.git/**.

(system) #6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.