~/ npm pack

2021-01-23

When publishing on npm, how do you know that what you intend to publish is what ends up getting published?

Worst case scenario a bad build config publishes secrets like a .env file.

Given the following project:

$ tree -a
.
├── .env
└── package.json

0 directories, 2 files

and those files' contents:

$ cat package.json
{
  "name": "bad-npm",
  "version": "1.0.0"
}

$ cat .env
SUPER_SECRET=true
IF_ANYONE_CAN_READ_THIS="I am in big trouble"

Ok let's see what npm is preparing to publish:

$ npm pack --dry-run
npm notice
npm notice 📦  bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 64B .env
npm notice 46B package.json

ah shit. Probably shouldn't publish that, but...

$ npm publish
npm notice
npm notice 📦  bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 64B .env
npm notice 46B package.json

and sure enough it's now publicly available:

"https://registry.npmjs.org/bad-npm/-/bad-npm-1.0.0.tgz"

to fix this you could ignore .env files but I think the safest fix is an allow list with files:

$ cat package.json
{
  "name": "bad-npm",
  "version": "1.0.0",
  "files": []
}

$ npm pack --dry-run
npm notice
npm notice 📦  bad-npm@1.0.0
npm notice === Tarball Contents ===
npm notice 61B package.json

nice! Seems like npm should default to error if there are no files specified.

---

~/ Posted by Jesse Shawl on 2021-01-23