RFC: Expand list of ignored files

[ruyadorno]

TLDR; Expand the default list of files that should not end up in published tarball.

See RFC

[ruyadorno]

discussion started here: https://github.com/npm/npm-packlist/issues/48 and the @npm/cli-team decided it would be nice to throw a proper RFC to discuss this a bit more with the community.

[ruyadorno]

Action items from the OpenRFC call:

• Restrict this RFC to only items that can be potentially harmful to the ecosystem (high potential of leaking secrets, etc)
• Let's create a new warning list that would prompt publishers at publish time

[ruyadorno]

It would be awesome if folks can contribute to this by suggesting files that they notice have high potential to be harmful if published by mistake to the registry 😊

[ljharb]

What about also ignoring *.sublime-project, bower.json, component.json?

[ruyadorno]

from @bnb in OpenRFC call:

We could borrow items from: https://github.com/github/gitignore/blob/master/Node.gitignore

[webstech]

Is there any incentive to move forward with this? I was shocked to find how many dependabot and workflow files I had in various repos today. Yarn already excludes .github during pack/publish so there is precedent. Internally there seems to be an established list of well known files to blacklist. I found 100+ flavours of dot filenames in local node_modules directories. It may be more code but a warning to suggest using .npmignore or package.files could help with migration. I understand any warnings may not be seen in automation runs - just trying to get some of this to happen.

[ljharb]

Please do not include .editorconfig in this list; I run a tool in my packages that lints against it, and i rely on that file being present.