How to publish safely to npm

Npm is great. But what isn’t great is accidentally publishing development files or things you’d rather keep secret to npm. Whoops! The fix for this is to exclude the files. There are two options — blacklist or whitelist. But which is best?

Just to have clear definitions:

  • Blacklist — is a list of things to deny. Things on the list go bye-bye.
  • Whitelist — is a list of things to allow. Things on the list stay.

Which is best?

It really depends on the goal. If your top priority is to never publish a package that fails but might contain extra things, I would use a blacklist. Otherwise, a whitelist would be better.

Both approaches have the same result when working correctly, but have slight differences when done wrong.

When done wrong:

  • Blacklist—the package is leaking extra things until someone notices. If a new development asset is added, you have to remember to check if it is covered by the existing rules.
  • Whitelist — the package is published. It doesn’t have the right things. It fails to work when imported as a dependency. The problem is found.

How is it done?

  • Blacklist — add entries to the .npmignore
  • Whitelist — add entries to the files property in the package.json


Leave a Reply

Your email address will not be published. Required fields are marked *