So I was reading this.
And I'm a bit confuse how it's works, as I understood it:
If I only have .gitignore in my repo npm will use .gitignore but If I have both .gitignore and .npmignore npm will only read .npmignore, right? Or it will read both?
Need to know, if it's only reading .npmignore I have to copy-paste stuff from .gitignore as well.
Or it will read both
As mentioned here, it will read only the .npmignore
If you want to include something that is excluded by your .gitignore file, you can create an empty .npmignore file to override it.
Although, Jeff Dickey advocates for: "For the love of god, don’t use .npmignore"
However, what you probably don’t know is that my little action of adding the npmignore file actually causes npm to now consult that file instead of the gitignore files.
This is a major issue—I’ve now leaked all my AWS credentials out to the public just by adding this .npmignore to hide my test directory.
What’s worse is I probably have no idea this happened. npm publish doesn’t show the files that were packed (it actually does with npm 6).
I don’t see the files on the npm registry.
The only real way to see the files is by adding the package to a project and manually looking inside node_modules.
I might do that someday out of curiosity and discover my AWS credentials have been sitting out in the open for months.
Solution/safer alternative:
npm supports whitelisting though, just add a files attribute to package.json with everything you intend to add to the project.
Now only the files that are specified in files will be included in the project and your dotfiles will be ignored.
Related
I am getting this when I am trying to push my code into github actions or building dockerimage.
shell: /usr/bin/bash -e {0}
npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion#1, but package-lock.json was generated for lockfileVersion#2. I'll try to do my best with it!
I tried to implement this Link it works but again after some commit I am getting the same error and I have to repeat the same procedure again and again.
Any fix for that?
Look in your .gitignore if you have the lines :
package-lock.json
node_modules/
if not,then add them,
after that look in your Github repository and delete the package-lock.json file and the node_modules directory (if any)
Important Edit :
My bad, Kevin Martin is right the official documentation tell us to add it to the repository for CI/CD.
This file is intended to be committed into source repositories, and
serves various purposes:
Describe a single representation of a dependency tree such that
teammates, deployments, and continuous integration are guaranteed to
install exactly the same dependencies.
Provide a facility for users to "time-travel" to previous states of
node_modules without having to commit the directory itself.
To facilitate greater visibility of tree changes through readable
source control diffs.
And optimize the installation process by allowing npm to skip repeated
metadata resolutions for previously-installed packages.
But for my case (Azure Devops) i had a lot of trouble with it.
I wonder why there is a README.md in every folder in the default project structure. Is it intended to keep it?
Answer from the Nuxt Discord: Create-nuxt-app only recently made git optional, but it was automatically added previously. AFAIK git can't track empty directories, thus they used README.md to mitigate this. Other solutions I've seen are creating files like .gitignore or .gitkeep inside a empty directory to ensure the empty directory is tracked/commited. It can be any name, but gitkeep seems to be what people gravitated to, yet I never did this personally.
Can't find anything on this online and might be a non-issue, but I figured I'd ask here to make sure.
We run the Wordfence security plugin on a bunch of WordPress sites and have recently seen this "critical issue" reported:
Filename: wp-content/themes/theme-name/node_modules/webpack-assets-manifest/test/fixtures/client.js
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity.
If you know about this file you can choose to ignore it to exclude it from future scans.
The matched text in this file is: require('./Ginger.jpg');
The issue type is: Backdoor:PHP/req_img.3645
Description: A backdoor known as req_img
Now first of all that doesn't look like a backdoor to me, especially since node_modules contents aren't executed unless I run npm (or yarn), as far as I understand. Is this more serious than I think?
Secondly, when running npm/yarn on the server, the node_modules folder has chmod 775 (drwxrwxr-x) by default. Is it okay to leave it like that or should we take any action?
I've created a web app template that I use frequently for many different projects.
I would like to create an NPM package for it so that it's easier to install for new projects, separate the template from the project files, separate the template dependencies from the project dependencies, and allow easier updating of the template across all projects.
The issue I have is that I need some files/folders to be installed in the root directory (i.e. where package.json is saved). Most can go in the node_modules folder however I have some files that must be placed in the root directory.
For example, the template uses Next.js with a custom _app.js file. This must be in the root directory in a folder named pages. I also have various config files that must be in the root directory.
Can this be done with NPM, or does everything need to be installed in the node_modules folder? I'm having trouble finding anything on SO or Google that answers this, so if you happen to know a guide online on how to do this or can outline things I should search for it would be much appreciated.
With pure npm, everything has to go to the node_modules folder, so you can't solve your issue this way.
Maybe going with a templating tool such as grunt init or yeoman could be a solution here, although – unfortunately – you'll then lose some of the benefits of being able to install a package via npm.
Another option might be to use GitHub template repositories, which have just been introduced recently.
Last but not least one option might also be to just have the files' contents in the npm package, but create the pages/_app.js manually, but inside of it simply require the file contents from an npm module, and that's it. This at least helps to have the content portable, but of course it still asks you to setup the file and folder structure on your own.
Sorry that I don't have a better answer, but I hope it helps anyway.
PS: One "solution" might also be to use the postinstall step in an npm module's package.json file to create folder structure, copy files to where they should be and so on, but at least to me this feels more like a clumsy workaround than like a real solution.
The intellij IDEA shows files and folders as not unversioned but they are already on the remote repository. Is it because these files are imported node modules? Or those these file color mean something else?
The color is because the nodes_modules folder is marked as the library root.
Consider to remove the node_modules from source control. A general best practice is to keep the repository small and without dependencies. If you check in your package.json and package-lock.json anyone who checks out the repository can download the same dependencies and run your project.
This will keep the footprint of your repository small and tidy and makes it faster to download/process (i.e. in a build tool like jenkins).
Tip: after you've removed the node_modules add a .gitignore file to exclude it so it won't be accidentally checked in again.