Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent output between npm publish and yarn publish causing unwanted files to leak when publishing to npm #40

Closed
fuxingloh opened this issue Apr 26, 2020 · 2 comments
Closed

Inconsistent output between npm publish and yarn publish causing unwanted files to leak when publishing to npm #40

fuxingloh opened this issue Apr 26, 2020 · 2 comments

Comments

@fuxingloh
Copy link 

"files": [
  "dist/*",
  "src/**/*.vue",
  "!src/serve-dev.*"
],

This effects yarn only, when running yarn pack, the field "files" specified in package.json used for whitelisting is entirely ignored because of "!src/serve-dev.*". The think the implementation in yarn is stateless meaning it will take the glob pattern of all 3 output. This results in my entire directly being published to npm when I use yarn publish which can leak unwanted secrets.

References:
https://classic.yarnpkg.com/en/docs/package-json/#toc-files
https://docs.npmjs.com/files/package.json#files

For my project, I removed "files" and used .npmignore instead as they both produce the same result. fuxingloh/vue-horizontal-list@252f988

More Info:

NPM: npm pack < 👍

Version: 6.14.4
npm pack && tar -xvzf *.tgz && rm -rf package *.tgz

Output:

x package/LICENSE
x package/dist/vue-horizontal-list.esm.js
x package/dist/vue-horizontal-list.min.js
x package/dist/vue-horizontal-list.ssr.js
x package/package.json
x package/README.md
x package/src/vue-horizontal-list.vue

YARN: yarn pack < 👎

Version: 1.22.4
yarn pack && tar -xvzf *.tgz && rm -rf package *.tgz

Output:

x package
x package/.DS_Store
x package/.browserslistrc
x package/.gitignore
x package/.idea
x package/.npmignore-t
x package/LICENSE
x package/README.md
x package/babel.config.js
x package/build
x package/demo.png
x package/dist
[...]
@fuxingloh fuxingloh mentioned this issue Apr 26, 2020
Closed
fuxingloh added a commit to fuxingloh/yarnpkg-website that referenced this issue Apr 27, 2020
@fuxingloh
Glob pattern negate flag is not supported in yarn
52feda1 
The glob pattern negate flag in package.json#files is not supported in yarn, it is not written anywhere. 
Apparently it's an implementation choice through looking at utils/filter.js and cli/pack.js in yarn sourcecode.
I think it might be best to mention this in the docs.

yarnpkg/yarn#7888
team-innovation/vue-sfc-rollup#40
fuxingloh/yarn@62b7282
@fuxingloh fuxingloh mentioned this issue Apr 27, 2020
Open
@mgdodge
Copy link
Collaborator

mgdodge commented Apr 29, 2020

There is an open bug with yarn surrounding the differences between npm and yarn in this regard. According to this comment on the thread, the comment immediately following, and the relevant article, it would seem that using .npmignore is opting for a blacklist approach instead of a whitelist. While this may work for some, it comes with more inherent risks - thus I am opting against it.

With a little tweak, I can remove the need for the negate flag entirely, and thus make the files array work for both yarn and npm. I will look into getting this done in the next patch release, which is already well under way.

@mgdodge mgdodge closed this as completed Apr 29, 2020
@mgdodge
Copy link
Collaborator

mgdodge commented Apr 29, 2020

FYI, v3.0.0 just released, addresses this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mgdodge @fuxingloh