commit 8c875b3e1f96c7b115895ad632c11abd2af19f80 Author: Jesse Shawl Date: Sat Jan 23 14:40:04 2021 -0600
npm pack
diff --git a/posts/npm-pack.md b/posts/npm-pack.md new file mode 100644 index 0000000..4e2c306 --- /dev/null +++ b/posts/npm-pack.md
@@ -0,0 +1,78 @@

npm pack

When publishing on npm, how do you know that what you intend to publish is what ends up getting published?

Worst case scenario a bad build config publishes secrets like a .env file.

Given the following project:

$ tree -a
.
├── .env
└── package.json

0 directories, 2 files

and those files' contents:

$ cat package.json
{
  "name": "bad-npm",
  "version": "1.0.0"
}

$ cat .env
SUPER_SECRET=true
IF_ANYONE_CAN_READ_THIS="I am in big trouble"

Ok let's see what npm is preparing to publish:

$ npm pack --dry-run
npm notice
npm notice 📦  bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 64B .env
npm notice 46B package.json

ah shit. Probably shouldn't publish that, but...

$ npm publish
npm notice
npm notice 📦  bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 64B .env
npm notice 46B package.json

and sure enough it's now publicly available:

"https://registry.npmjs.org/bad-npm/-/bad-npm-1.0.0.tgz"

to fix this you could ignore .env files but I think the safest fix is an allow list with files:

$ cat package.json
{
  "name": "bad-npm",
  "version": "1.0.0",
  "files": []
}

$ npm pack --dry-run
npm notice
npm notice 📦  bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 61B package.json

nice! Seems like npm should default to error if there are no files specified.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

* 8c875b3 (posts) 2021-01-23 
|  npm pack
| * 1239bb5 (HEAD -> build) 2021-01-20 
|/   src files
* d9a30b3 (main) 2021-01-21 
   home