npm pack is not respecting .gitignore

What I Wanted to Do

npm pack should not include files listed in .gitignore (pnpm-lock.yaml in my case)

What Happened Instead

npm pack include pnpm-lock.yaml even if it’s in .gitignore, the file will be skipped only if I explicitly list it in .npmignore

Reproduction Steps

run below commands:

mkdir testing; cd testing
npm init --yes
touch pnpm-lock.yaml
echo pnpm-lock.yaml > .gitignore
echo '*.tgz' > .npmignore
npm pack
tar tf *.tgz | grep pnpm && echo 'found pnpm file' || echo 'not found pnpm file'


pnpm file is not expected to be included in the pack result according to the .gitignore

Platform Info

$ npm --versions
<!-- paste output here -->
{ testing: '1.0.0',
  npm: '5.3.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.12.0',
  openssl: '1.0.2p',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.66',
  zlib: '1.2.11' }

$ node -p process.platform
<!-- paste output here -->

maybe related to this closed bug report npmrc file not respected by package-lock.json

(Moving to #support as this is the intended behaviour. Why moved? )

This is the documented behaviour. If you have .npmignore, then .gitignore is not consulted. The .gitignore is just used as a convenient fallback.

Use a .npmignore file to keep stuff out of your package. If there’s no .npmignore file, but there is a .gitignore file, then npm will ignore the stuff matched by the .gitignore file. If you want to include something that is excluded by your .gitignore file, you can create an empty .npmignore file to override it.