Skip to content

chore: scope npm publish to dist/ and rebuild before publish#58

Merged
alukach merged 3 commits into
mainfrom
chore/safer-npm-publish
Jun 8, 2026
Merged

chore: scope npm publish to dist/ and rebuild before publish#58
alukach merged 3 commits into
mainfrom
chore/safer-npm-publish

Conversation

@alukach

@alukach alukach commented May 25, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

  • Add a files allowlist so only dist/ (plus npm-default README.md, LICENSE, package.json) is included in the published tarball.
  • Add a prepublishOnly script that wipes dist/ and rebuilds, so we never publish stale build outputs.
  • The existing .npmignore becomes inert once files is set (npm prefers the allowlist). As such, we've removed .npmignore

Previously the published package shipped all of src/ (including tests), top-level configs (eslint.config.js, jest.config.cjs, vite.config.ts, etc.), and any stale files left in dist/ from prior builds.

Impact

npm pack --dry-run before:

  • 107 files
  • 780 kB packed / 1.1 MB unpacked

After:

  • 26 files
  • 34.6 kB packed / 125.8 kB unpacked

Notes

  • prepublishOnly uses rm -rf dist, which is fine for the macOS/Linux dev + CI environment this repo targets.

Test plan

  • npm pack --dry-run shows the expected 26-file tarball
  • CI checks pass

alukach and others added 2 commits May 25, 2026 09:00
@alukach @claude
chore: scope npm publish to dist/ and rebuild before publish
9a10f3d 
Add a `files` allowlist limiting the published tarball to `dist/`
(plus npm-default README/LICENSE/package.json), and a `prepublishOnly`
script that wipes `dist/` and rebuilds. Without these, the tarball
included all of `src/` (tests, configs) and any stale outputs left in
`dist/`. With them, `npm pack --dry-run` drops from 107 files / 1.1MB
unpacked to 26 files / 126KB unpacked.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@alukach @claude
chore: drop .npmignore now that files allowlist is set
9362b07 
With `files: ["dist"]` in package.json, npm uses the allowlist and
ignores `.npmignore`. Removing the now-inert file to avoid confusion.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@alukach alukach requested a review from AliceR May 25, 2026 16:03
@alukach alukach requested a review from danielfdsilva May 25, 2026 16:03
@alukach @claude
1.0.0-alpha.3
7434a32 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@alukach alukach mentioned this pull request May 25, 2026
Merged
3 tasks
@alukach alukach merged commit dbb7675 into main Jun 8, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AliceR AliceR AliceR approved these changes

@danielfdsilva danielfdsilva Awaiting requested review from danielfdsilva

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alukach @AliceR @danielfdsilva