cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] v11.6.2 erroneously warns about a missing npmignore file

Open ljharb opened this issue 2 months ago • 5 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

This issue exists in the latest npm version

  • [x] I am using the latest npm

Current Behavior

on browserify/resolve, running npx [email protected] pack --dry-run includes this output:

npm warn gitignore-fallback No .npmignore file found, using .gitignore for file exclusion. Consider creating a .npmignore file to explicitly control published files.
npm warn gitignore-fallback No .npmignore file found, using .gitignore for file exclusion. Consider creating a .npmignore file to explicitly control published files.
npm warn gitignore-fallback No .npmignore file found, using .gitignore for file exclusion. Consider creating a .npmignore file to explicitly control published files.

However, there is definitely an npmignore file, and npx [email protected] pack --dry-run correctly omits these warnings.

Expected Behavior

No response

Steps To Reproduce

  1. In this environment...
  2. With this config...
  3. Run '...'
  4. See error...

Environment

  • npm:
  • Node.js:
  • OS Name:
  • System Model Name:
  • npm config:
; copy and paste output from `npm config ls` here

ljharb avatar Oct 20 '25 18:10 ljharb

@ljharb The warning happens because there's a a .gitignore under browserify/resolve/test/shadowed_core, but no .npmignore.

pdrgds avatar Oct 27 '25 19:10 pdrgds

@pdrgds why would there be an npmignore file anywhere but at the root of a package?

Either way this is a new warning in a patch version, so it wasn't shipped in compliance with semver regardless.

ljharb avatar Oct 30 '25 07:10 ljharb

I also just noticed this new warning and frantically canceled my package publish to confirm I hadn't deleted my .npmignore file, which did exist. I couldn't figure out the reason for the warning until finding this issue.

Turns out my repo has one other .gitignore in a directory that is specifically excluded by the top-level npmignore. So, the warning is not even correct in my case because it doesn't fallback to that .gitignore at all.

minimal repo setup, for reference directory tree: 
root
- .gitignore
- .npmignore
- package.json
- src/
- supplementary/
  - .gitignore
  - manifest

.npmignore:

supplementary/**/*
!supplementary/manifest

why would there be an npmignore file anywhere but at the root of a package?

I agree that regardless of the above issue, this feels like a strange and unexpected behavior. At the very least, I would encourage the message to specify where the "missing" .npmignore file is, otherwise the warning gives the impression that npm has a bug where it fails to recognize the top-level one.

antonok-edm avatar Nov 03 '25 19:11 antonok-edm

Another case of the false warning is for packages that don't use .npmignore, and instead opted to use "files" field in their package.json (aka allow list instead of deny list).

EDIT: actually, I'm not so sure anymore. Happened in one package, but not in others. I may be experiencing the same issue as you guys. Saw this on npm i in https://github.com/AviVahl/example-electron-application/ (using 11.6.3)

AviVahl avatar Nov 20 '25 08:11 AviVahl

Also what the point of showing this warning for packages with private: true? They are not meant to publish at all.

RareScrap avatar Dec 10 '25 11:12 RareScrap