From 892431e3832d4aee91dfa2ccacb6e33b158bef40 Mon Sep 17 00:00:00 2001
From: SAY-5 <say.apm35@gmail.com>
Date: Wed, 15 Apr 2026 01:36:19 -0700
Subject: [PATCH] chore(package): restrict published files to runtime artifacts
 (#190)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The current tarball ships dev-only files (tests, .github workflows,
eslint.config.js, tsconfig.json, bench.js, transpile scripts, etc.)
because `package.json` has no `files` field and relies on the npm
default excludelist. Reported in #190.

Before: 61 files / 81.1 kB unpacked
After:  8 files / 34.7 kB unpacked

Added an explicit `files` allowlist covering just the runtime
entrypoints (`index.js`, `index.d.ts`, `lib/`). LICENSE, README,
and package.json are always included by npm. Also makes the tarball
independent of local working tree state, so stray `.husky` / IDE
directories can no longer leak.

Verified with `npm pack --dry-run` and the full test suite
(50 pass, 3 skipped — unchanged by this PR).
---
 package.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/package.json b/package.json
index 7370035..0ca2db5 100644
--- a/package.json
+++ b/package.json
@@ -4,6 +4,11 @@
   "description": "A streaming way to send data to a Node.js Worker Thread",
   "main": "index.js",
   "types": "index.d.ts",
+  "files": [
+    "index.js",
+    "index.d.ts",
+    "lib/"
+  ],
   "engines": {
     "node": ">=20"
   },