[BUG] .npmignore does not handle .npmrc as expected
samjacoby opened this issue Β· comments
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
The .npmrc is never included in the published package, even when explicitly included in the .npmignore.
Expected Behavior
When !.npmrc is specified in the .npmignore, I would expect it to be included in the published package. This was the behavior in 9.x and 10.1. The issue appears in 10.2 onwarrds.
Steps To Reproduce
Create an .npmrc in your project:
save-exact=true
audit=falseCreate an .npmrc with the folloing:
!.npmrc
Run npm publish --dry-run
Output:
β test-npmrc npm --version
10.7.0
β npm publish --dry-run
npm notice
npm notice π¦ test-npmrc@1.0.0
npm notice Tarball Contents
npm notice 35B .npmignore
npm notice 224B package.json
npm notice Tarball Details
npm notice name: test-npmrc
npm notice version: 1.0.0
npm notice filename: test-npmrc-1.0.0.tgz
npm notice package size: 296 B
npm notice unpacked size: 259 B
npm notice shasum: 682fc79729bc131fdf0e4b53b9946b4b33f68406
npm notice integrity: sha512-K6tK0rIivqI+u[...]vncmI1/O8C0PA==
npm notice total files: 2
npm notice
npm warn This command requires you to be logged in to https://registry.npmjs.org/ (dry-run)
npm notice Publishing to https://registry.npmjs.org/ with tag latest and default access (dry-run)
+ test-npmrc@1.0.0I would expect to have seen the .npmrc here.
If you downward to version 10.1, this is the behavior (which was also the behavior in 9.x). The pack does include the .npmrc.
β npm --version
10.1.0
β npm publish --dry-run
npm notice
npm notice π¦ test-npmrc@1.0.0
npm notice === Tarball Contents ===
npm notice 35B .npmignore
npm notice 73B .npmrc
npm notice 224B package.json
npm notice === Tarball Details ===
npm notice name: test-npmrc
npm notice version: 1.0.0
npm notice filename: test-npmrc-1.0.0.tgz
npm notice package size: 367 B
npm notice unpacked size: 332 B
npm notice shasum: 577e4ff511a5c2891f56ce58a1240e49ba4a013b
npm notice integrity: sha512-oah1C+gUROoUy[...]aifUFZcFe81MQ==
npm notice total files: 3
npm notice
npm WARN This command requires you to be logged in to https://registry.npmjs.org/ (dry-run)
npm notice Publishing to https://registry.npmjs.org/ with tag latest and default access (dry-run)
+ test-npmrc@1.0.0Looking at the docs, it appears that only the .npmrc is treated this way. I'm able to override the other auto-ignored files (at least the handful I tried in the .npmignore without problem).
Environment
- npm: 10.7.0
- Node.js: v20.11.1
- OS Name: Sonoma 14.4.1
- System Model Name: Macbook Pro
- npm config:
; "user" config from /Users/sjacoby/.npmrc
; "project" config from /Users/sjacoby/test-npmrc/.npmrc
audit = false
save-exact = true
save-prefix = ""
; node bin location = /Users/sjacoby/.nvm/versions/node/v20.11.1/bin/node
; node version = v20.11.1
; npm local prefix = /Users/sjacoby/test-npmrc
; npm version = 10.7.0
; cwd = /Users/sjacoby//test-npmrc
; HOME = /Users/sjacoby
; Run `npm config ls -l` to show all defaults.
This is very much intentional. That file would be ignored by npm during installation, and it sometimes has sensitive info in it. Because of that it is never included in a published package.
Makes sense to me; I'll note that we distribute some shared configuration data in .npmrc files in private packages in internal registries, so this was a breaking change for us. There are other mechanisms that we can use to accomplish the same thing, but it was unexpected.