chore(package): restrict published files to runtime artifacts (#190)#207
Open
SAY-5 wants to merge 1 commit intopinojs:mainfrom
Open
chore(package): restrict published files to runtime artifacts (#190)#207SAY-5 wants to merge 1 commit intopinojs:mainfrom
SAY-5 wants to merge 1 commit intopinojs:mainfrom
Conversation
…#190) The current tarball ships dev-only files (tests, .github workflows, eslint.config.js, tsconfig.json, bench.js, transpile scripts, etc.) because `package.json` has no `files` field and relies on the npm default excludelist. Reported in pinojs#190. Before: 61 files / 81.1 kB unpacked After: 8 files / 34.7 kB unpacked Added an explicit `files` allowlist covering just the runtime entrypoints (`index.js`, `index.d.ts`, `lib/`). LICENSE, README, and package.json are always included by npm. Also makes the tarball independent of local working tree state, so stray `.husky` / IDE directories can no longer leak. Verified with `npm pack --dry-run` and the full test suite (50 pass, 3 skipped — unchanged by this PR).
|
Please see fastify/skeleton#42 (comment) for an explanation of why this is invalid. |
Author
|
Thanks for the link. The concern in fastify/skeleton#42 is about maintenance burden of listing individual files. In this PR, the That said, if the maintainers prefer a different approach (e.g. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #190.
The published tarball currently ships dev-only files (tests, `.github/` workflows, `eslint.config.js`, `tsconfig.json`, `bench.js`, the `test/ts/transpile.sh` scripts, etc.) because `package.json` has no `files` field and relies on the npm default excludelist.
Before (`npm pack --dry-run` on `main`)
```
npm notice total files: 61
npm notice package size: 20.2 kB
npm notice unpacked size: 81.1 kB
```
After
```
LICENSE
README.md
index.d.ts
index.js
lib/indexes.js
lib/wait.js
lib/worker.js
package.json
npm notice total files: 8
npm notice package size: 9.9 kB
npm notice unpacked size: 34.7 kB
```
Added an explicit `files` allowlist covering the runtime entrypoints (`index.js`, `index.d.ts`, `lib/`). `LICENSE`, `README.md`, and `package.json` are always included by npm. This also makes the published contents independent of the working tree at publish time, so stray `.husky` / IDE / editor swap files can no longer leak into the tarball regardless of what's on disk.
Full `npm test` suite: 50 passing / 3 pre-existing skipped — unchanged by this PR.