False negative scenario: modules which have .npmignore but exclude it from the package

[insin]

They're technically correct (the best kind, ofc :ok_hand:) and I used to do this myself, but this is another reason I now prefer files.

We'll have to fall back completely on heuristics for these packages (e.g. classnames), but I honestly think test folders cover 90% of the npm package bloat I care about.

[petetnt]

One option would be taking the repository field as a last resort and checking if .npmignore exists in the repo. Maybe behind a --i-just-want-to-be-really-really-sure flag or something :ok_hand: