extend@3.0.2 contains an .editorconfig file that is not in source control. Additionally, there are three config files (.eslintrc, .jscs.json, and .travis.yml) that are not necessary to include in the package. Any of these files are inherently benign; however, the tarball from latest version of the package cannot be consistantly reproduced from source control.

You can reproduce this scan by using "TBV":
npx tbv verify extend@3.0.2 --verbose

I recommend adding all root-level dot files to .npmignore. Doing so will allow the package to "verify" and will reduce the unpacked module size by 50%.

See also

• https://www.npmjs.com/package/tbv
• https://hackernoon.com/what-if-we-could-verify-npm-packages-c2a319cff758

What do you mean by “verify”? Every package with a build process contains files not in source control.

In this case, it’s a locally present untracked file. I can remove it, but explicitly gitignoring it seems extreme.

Separately, the lint configs are absolutely necessary to include, otherwise tests won’t pass in an installed version of this package.

Every package with a build process contains files not in source control

True, but if the package has a prepare or prepack script, then you can, in theory, run npm pack on a clean repo and reproduce file-for-file what is in the published package.

Again, the extra file is benign 👍. I was just updating the deps for express-http-context and noticed it.

And thanks for maintaining the package 🎉

Thanks for helping out, truly!