npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

`npm pack` includes .git directory?

What I Wanted to Do

npm pack must not include .git/.

What Happened Instead

It does!

Reproduction Steps

> git clone https://github.com/saschanaz/scroll-agnostic-timeline
> cd scroll-agnostic-timeline
> git checkout v1.1.0
> npm pack

Details

Platform Info

$ npm --versions
{ 'scroll-agnostic-timeline': '1.1.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.9.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '6.8.275.24-node.14',
  zlib: '1.2.11' }
$ node -p process.platform
win32


This also seems to happen for other similar patterns:

**/.npmrc works fine for me, so perhaps it’s particularly sub-directories. Also, I can’t reproduce it on a simple repository, and copied package.json and .gitignore didn’t seem to be the cause in my tests.


I suspect one of the !-prefixed bits in your .gitignore is triggering this. /cc @isaacs


Yep, not sure why I missed that when testing. The offending pattern seems to be:

!**/[Pp]ackages/build/

Which matches .git for some reason when dot is enabled: https://runkit.com/larsgw/minimatch-glob-problem

Edit

Right, is isn’t dot (that’s just needed to make it work for .{git,svn,hg} and not just CVS. The problem, I think, is the partial parameter in Minimatcher#match, and that it matches whether the pattern could be a subdirectory of .git, which it can, and can be for any directory since it starts with **/.

Edit 2

The partial parameter is added here to check for directories, and I’m not sure why, but it’s been there for at least a year, so I don’t know if that’s the problem.

Edit 3

My understanding, after way longer than it should have been, my conclusion is that the offending rule ‘unlocks’ the normally locked directories to be traversed to check what files to include. Since the default pattern only blocks the directory and not files in it, these files are then included by default. I’m not sure if there’s a fix for this that doesn’t break manual inclusion of .git repositories, or more specifically their subdirectories.


I made a PR:

https://github.com/npm/npm-packlist/pull/17

I don’t know if it’s the best solution, as it may break some configs: rules like !.git would have to be replaced by !.git/**.