Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pack] does not handle negations in package.json files property #7888

Closed
flash-me opened this issue Feb 7, 2020 · 4 comments
Closed

[pack] does not handle negations in package.json files property #7888

flash-me opened this issue Feb 7, 2020 · 4 comments
Labels
fixed-in-modern This issue has been fixed / implemented in Yarn 2+.

Comments

@flash-me
Copy link

flash-me commented Feb 7, 2020
edited
Loading

Bug description

Command

yarn pack

What is the current behavior?
Yarn pack also includes negated patterns when creating a package.
The files property in package.json allows to define what to include in our package when packing / publishing.
When using negation like !foo.js, yarn still will include foo.js into the package.

What is the expected behavior?
Yarn pack should handle negated globs correctly, like npm handles it.

Steps to Reproduce

# create package with two files
yarn init -y && touch include.me exclude.me
# add files property to package.json
sed -i 's/\(.*lic.*\)/\1,\n\t"files": ["include.me", "!exclude.me"]/' package.json
# pack & extract
yarn pack --filename foo.tgz && tar -xf foo.tgz
# list files in package
ls package/

Will contain include.me, exclude.me and package.json

Whereas npm pack --dry-run --verbose will not include the exclude.me file:

image

Environment

  • Node Version: 12.14.1
  • Yarn v1 Version: 1.22.x
  • OS and version: Windows 10 Version 1909 (OS Build 19363.628)
@pixelastic
Copy link

To add to the severity of this issue, I had a !**/__tests__/ entry in my .files key to not release test files. It was working correctly with npm, but when packaged through yarn it actually released my whole directory to npm, including files and directory that were ignored by git.

Hopefully I didn't have any sensitive information (like .envrc files), but it still pushed a very large set of files to npm

@flash-me
Copy link
Author

Same case happened to me, but luckily I was publishing to private registry

Cheers
flash ⚡

fuxingloh added a commit to fuxingloh/yarnpkg-website that referenced this issue Apr 27, 2020
@fuxingloh
Glob pattern negate flag is not supported in yarn
52feda1 
The glob pattern negate flag in package.json#files is not supported in yarn, it is not written anywhere. 
Apparently it's an implementation choice through looking at utils/filter.js and cli/pack.js in yarn sourcecode.
I think it might be best to mention this in the docs.

yarnpkg/yarn#7888
team-innovation/vue-sfc-rollup#40
fuxingloh/yarn@62b7282
@fuxingloh fuxingloh mentioned this issue Apr 27, 2020
Open
@brunohpaiva
Copy link

Any updates on this issue? I've faced the same situation that pixelastic wrote.

@merceyz
Copy link
Member

merceyz commented Jan 2, 2021

Closing as fixed in v2

https://yarnpkg.com/getting-started/migration

@merceyz merceyz closed this as completed Jan 2, 2021
@merceyz merceyz added the fixed-in-modern This issue has been fixed / implemented in Yarn 2+. label Jan 2, 2021
@inomdzhon inomdzhon mentioned this issue Aug 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fixed-in-modern This issue has been fixed / implemented in Yarn 2+.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pixelastic @merceyz @flash-me @brunohpaiva