diff --git a/posts/npm-pack.md b/posts/npm-pack.md
new file mode 100644
index 0000000..4e2c306
--- /dev/null
+++ b/posts/npm-pack.md
# npm pack
When publishing on npm, how do you know that what you _intend_
to publish is what ends up getting published?
Worst case scenario a bad build config publishes secrets like a
`.env` file.
Given the following project:
```
$ tree -a
.
├── .env
└── package.json
0 directories, 2 files
```
and those files' contents:
```
$ cat package.json
{
"name": "bad-npm",
"version": "1.0.0"
}
$ cat .env
SUPER_SECRET=true
IF_ANYONE_CAN_READ_THIS="I am in big trouble"
```
Ok let's see what npm is preparing to publish:
```
$ npm pack --dry-run
npm notice
npm notice 📦 bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 64B .env
npm notice 46B package.json
```
ah shit. Probably shouldn't publish that, but...
```
$ npm publish
npm notice
npm notice 📦 bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 64B .env
npm notice 46B package.json
```
and sure enough it's now publicly available:
"https://registry.npmjs.org/bad-npm/-/bad-npm-1.0.0.tgz"
to fix this you could ignore `.env` files but I think the safest
fix is an allow list with `files`:
```
$ cat package.json
{
"name": "bad-npm",
"version": "1.0.0",
"files": []
}
$ npm pack --dry-run
npm notice
npm notice 📦 bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 61B package.json
```
nice! Seems like npm should default to error if there are no files specified.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+